Analysis Overview
SHA256
202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410ad
Threat Level: Known bad
The file aea459bd4a96c0440c4435bfe39aaf40_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Pandastealer family
Panda Stealer payload
PandaStealer
Blocklisted process makes network request
Event Triggered Execution: Component Object Model Hijacking
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Checks installed software on the system
Adds Run key to start application
Installs/modifies Browser Helper Object
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
NSIS installer
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Kills process with taskkill
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Modifies registry class
Modifies Internet Explorer start page
Modifies system certificate store
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-29 03:35
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Pandastealer family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-29 03:35
Reported
2024-11-29 03:38
Platform
win7-20241010-en
Max time kernel
150s
Max time network
136s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PandaStealer
Pandastealer family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Browser Infrastructure Helper = "C:\\Users\\Admin\\AppData\\Local\\Smartbar\\Application\\Smartbar.exe startup" | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA120.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA120.tmp-\sipb.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\assembly\tmp\72CGA7DD\__AssemblyInfo__.ini | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA120.tmp-\sismlp.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA120.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA120.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp-\spusm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA120.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA120.tmp-\sppsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA120.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\Smartbar.Installer.CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp-\Smartbar.Personalization.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp-\spbl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp-\Smartbar.Resources.SocialNetsSharer.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\srsbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\srpdm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp-\srns.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp-\srsbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\sipb.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA120.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\sppsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA120.tmp-\Newtonsoft.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\f768901.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\Smartbar.Personalization.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA120.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp-\Newtonsoft.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA120.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\spbl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\Smartbar.Resources.LanguageSettings.resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp-\Smartbar.Infrastructure.BusinessEntities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA120.tmp-\Smartbar.Personalization.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp-\sipb.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA120.tmp-\Smartbar.GUI.Controls.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\tmp\72CGA7DD\Microsoft.VisualStudio.OLE.Interop.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f7688fe.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\f768903.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f768901.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA120.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\Smartbar.GUI.Controls.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E97.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA120.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA120.tmp-\srpdm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\tmp\YBSBGLPC\Interop.SHDocVw.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0FB.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aea459bd4a96c0440c4435bfe39aaf40_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\UseHomepageForNewTab = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=29/11/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "yes" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\USER PREFERENCES | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=29/11/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Search Bar = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5} | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=29/11/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Search\Default_Search_URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=29/11/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Smartbar.exe = "9999" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=29/11/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchUrl | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AE07101B-46D4-4A98-AF68-0333EA26E113} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Search\SearchAssistant = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=29/11/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Search | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\UseHomepageForNewTab = "1" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "yes" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchUrl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Search\Default_Search_URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=29/11/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Search\SearchAssistant = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Search Bar = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=29/11/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=hp&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=hp&installDate=29/11/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}\Implemented Categories | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{26D3A9D0-70E0-3905-838B-67B7AEAD16F0}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{26D3A9D0-70E0-3905-838B-67B7AEAD16F0}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F314-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{06FEA59A-AEB1-3597-8826-61ED753ADC44}\7.0.3300.0\Class = "mshtml._styleRubyPosition" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E041E037-FA4B-364A-B440-7A1051EA0301}\InprocServer32 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2E4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2DF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F0EBA606-4E8D-3878-8A17-DDD69878CC4A}\7.0.3300.0\Class = "mshtml._htmlTabIndex" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F272-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F245-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLSelectElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34A226E0-DF30-11CF-89A9-00A0C9054129}\1.1.0.0\Class = "SHDocVw.CommandStateChangeConstants" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FB2E65F4-5687-33EF-9BBF-4E3C9C98D3B9}\1.0.0.0\Assembly = "SmartbarInternetExplorerExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=64637c62d0471340" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8BE8AA32-4245-3E8A-91E9-CF037C41FC74} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F277-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F7EF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLStyleSheetPageClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F4CB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLElementCollectionClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F28C-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLScriptElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F24E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{ADCDA984-74EE-399A-B8C7-F16E1D96115F}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4E953F92-B7F6-39FA-A192-FB2BB7299F3A}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F6AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2E0ED74B-B69A-3F95-9FD8-66006DB3972C}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F282-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLBaseFontElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}\InprocServer32 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{AF1BFF0C-0614-337B-91D2-81B41AE16A73} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F272-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8E086BAE-D86D-3F6C-9098-EDB0CE1E8103}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DD05F906-C219-3916-B377-597EA9E255C2}\7.0.3300.0\Class = "mshtml._HT_RESULTS" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2B4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2AE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLInputFileElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{11B2663E-7AE0-3DF6-9847-F53250984108}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F6C8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLDefaultsClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F7F1-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLStyleSheetPagesCollectionClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F251-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4CB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F38D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F275-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3FF-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8317D46-03CB-4975-AE94-85E9F2E1D020}\1.1.0.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E041E037-FA4B-364A-B440-7A1051EA0301}\InprocServer32\1.0.0.0\Class = "IESmartBar.IESmartBarBandObject" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{85C95AA9-39F2-311E-86C0-D2610A00A85B}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F248-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3CE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLStyleSheetRuleClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\MenuText = "Shopping Helper Smartbar" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\ = "Shopping Helper Smartbar" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\InprocServer32 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F4FE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F5F5-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F32B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F3F5-98B4-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{06FEA59A-AEB1-3597-8826-61ED753ADC44}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F284-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D04D285-6BEC-11CF-8B97-00AA00476DA6}\InprocServer32\7.0.3300.0\Class = "mshtml.OldHTMLFormElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DB157C7D-FCF1-3208-84BA-910CE2BAFC75}\7.0.3300.0\Class = "mshtml._styleTextJustify" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\InprocServer32\1.0.0.0\RuntimeVersion = "v2.0.50727" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerExtension.DLL" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2A7855AF-528E-3692-8F4E-E6AD67AF1BF2}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B79ADCC5-C84B-3829-873C-B498FE8B5761}\7.0.3300.0\Class = "mshtml._BEHAVIOR_LAYOUT_INFO" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{AF1BFF0C-0614-337B-91D2-81B41AE16A73}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5D8-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aea459bd4a96c0440c4435bfe39aaf40_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aea459bd4a96c0440c4435bfe39aaf40_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\Installer.exe
C:\Users\Admin\AppData\Local\Temp\Installer.exe /quiet ARGS=HP:1;DS:1;NT:1;DOWNLOADPROVIDER:ShoppingHelper;PUBLISHER:ShoppingHelper;ROT:ALL;ROSP:1;CSH:1;SHOW_UNINSTALL:1;VISIBLE_IN:FF,IE
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet /quiet ARGS=HP:1;DS:1;NT:1;DOWNLOADPROVIDER:ShoppingHelper;PUBLISHER:ShoppingHelper;ROT:ALL;ROSP:1;CSH:1;SHOW_UNINSTALL:1;VISIBLE_IN:FF,IE;INSTALLATION_ID:d13811c3-be3c-f963-4eca-e759baed3971
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 858E202452C122DD1774A1DBDF1596B2
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI8E97.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259428227 1 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pj9m_sgc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9261.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9260.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hu9rztdy.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9510.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC950F.tmp"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIA120.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259432751 5 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIB0FB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259436807 9 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aroqw-7h.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB25F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB25E.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vhz4rwvs.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2BD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB2BC.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
"C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cfdwsxem.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE13C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE13B.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\je0nqyu4.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2C2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE2C1.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vi492n1j.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE37D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE37C.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iwnkkxin.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE429.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE418.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hozik-on.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4F3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE4F2.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uyr5fl_e.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE541.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE540.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qz1rlyxz.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5CE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE5CD.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0s-f86bp.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE679.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE678.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rbzakhnp.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE754.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE753.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uhczytty.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB0B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEAFB.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vhnfmgfg.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF671.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF670.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qki9ejqu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9F9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF9F8.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uxzzqj5m.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC2B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFC2A.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cloud-search.linkury.com | udp |
| US | 167.71.184.143:80 | cloud-search.linkury.com | tcp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.83:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | feed.snapdo.com | udp |
| US | 172.232.4.213:80 | feed.snapdo.com | tcp |
| US | 8.8.8.8:53 | ww99.snapdo.com | udp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 8.8.8.8:53 | ww12.snapdo.com | udp |
| US | 75.2.73.197:80 | ww12.snapdo.com | tcp |
| US | 8.8.8.8:53 | pool.ntp.org | udp |
| US | 8.8.8.8:53 | csc3-2010-crl.verisign.com | udp |
| SE | 192.229.221.95:80 | csc3-2010-crl.verisign.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.187.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | install.outbrowse.com | udp |
| US | 13.248.169.48:80 | install.outbrowse.com | tcp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | au.snapdoapp.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nso75CD.tmp\Registry.dll
| MD5 | 2b7007ed0262ca02ef69d8990815cbeb |
| SHA1 | 2eabe4f755213666dbbbde024a5235ddde02b47f |
| SHA256 | 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d |
| SHA512 | aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca |
\Users\Admin\AppData\Local\Temp\Installer.exe
| MD5 | 564e47a3604ced3b7c18e43250226cd7 |
| SHA1 | a3eef8fac3617d048fb9fce2201937297e3920f1 |
| SHA256 | 12ae00fe728b441221acd10483eeb1197884738e9bd6eb715ceadeea058c6c83 |
| SHA512 | e925e2a5b60c7257ac6b57b3fc12675d2cc490070c456a8e794f54c6732cc34981c0d88a5acfb2214fd316194f24eae83e8151cfab101daa2f1b59f2d621cdbf |
\Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll
| MD5 | 3cf46bae7e872a661721b0894bc076e2 |
| SHA1 | eaaa0a35e284908dd21cf245a38efe9d2e4c7532 |
| SHA256 | 7ca73cfb8d0502b14b657216b8735394cbd08aa8e4266fb9e86ad84ae159b043 |
| SHA512 | 47065a1cb81b41cab7c98488609470b308c708ba73c0e11c3f06901fde008b280f3b75ee825c12e4681aefbd8a43840e0319b43bbab7fe68b24c30926d0ce9f2 |
\Users\Admin\AppData\Local\Temp\smartbar\GuidCreator.dll
| MD5 | 4876414d51fe01bd8525df2f8acd35d6 |
| SHA1 | f9435c39e3029276e71a971e48f68d3f0298fe11 |
| SHA256 | 4bda5a964065b918ce70a27914056b17a95e3f8002028b394ecf8ff2d7cebf3d |
| SHA512 | d18afa3d806fd056836beb5a0822156402afe3455567d41f9b27d578980d5ae341273cadf5dff3175a799e791822e07eede03e3c0c143604f980f7876cd2fc0a |
memory/2880-27-0x00000000001A0000-0x00000000001E0000-memory.dmp
memory/2880-28-0x0000000074891000-0x0000000074892000-memory.dmp
memory/2880-31-0x0000000074890000-0x0000000074E3B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi
| MD5 | e5314db579a141f6a5204f70e7073de0 |
| SHA1 | 3d2e28be7594fd754213e3ea19b4f900f6634c91 |
| SHA256 | 84263b76687ff69f306579fb3f05f3a0528db029cf0f2f60eddc22549545408d |
| SHA512 | f18c446d8e388759c12527ca970dea3c24af954d199c39027eae4ad8c97df7c902f24845ab0ee0ffd9ad9ee6768c43169b11fec47bd3246cd2e9c7e8da44993a |
C:\Users\Admin\AppData\Local\Temp\Cab8AA5.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar8AB8.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Windows\Installer\MSI8E97.tmp
| MD5 | 44c66c7febaf067ac2f96e3bb643a5b3 |
| SHA1 | bc83eb57ebb44206b467c4147a7f82d52662e9b5 |
| SHA256 | 641fae557b683029787befda2a2ed5251b19a4c11fc19e3dbf2cd97459e7e383 |
| SHA512 | 41ce527bd09ae6b3126947197c94169121dcffe79b9db624a17a3a45d4e25a2f53dde0a686b4329b9e2d5c33bbbc6d6b9cc840b97731eac38ae31254dfd3364b |
\Windows\Installer\MSI8E97.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 34d4a23cab5f23c300e965aa56ad3843 |
| SHA1 | 68c62a2834f9d8c59ff395ec4ef405678d564ade |
| SHA256 | 27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c |
| SHA512 | 7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c |
\Windows\Installer\MSI8E97.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll
| MD5 | 5dc8a7062040e05ad36bd83246954b05 |
| SHA1 | f6807be0413724076c8c384576ad9a5bc1413e8c |
| SHA256 | d00f229036a6ea19e05c9838f2827fdb22b3003af4c7c97b37abf2ea36236dfc |
| SHA512 | 43cda9b7a57ae292b71df7a8f02c359b486a82162f92e2d8a7449f2b9c835a7ba44177477a7e0763a5698a4b2d9a025f8786c054950db3fab017edfdf4c17f12 |
\Windows\Installer\MSI8E97.tmp-\Smartbar.Installer.CustomActions.dll
| MD5 | 2120dbb0481374885af660346f503b9b |
| SHA1 | 0dad9f77c93325cbe2499efac70ebbbfd8e1a4b3 |
| SHA256 | ef0e1d3a5f58e797c47d1ca2999e6ab1e94520c3816a8264874920c26c9ae474 |
| SHA512 | 46966d2eec899fbd48b8aaf5e72555cec3b2f1bc2481c2eb014d98078aa6b6e825144718fbe2aa7b23d816462645186abbfc2ebdc7a4f331d5087999f21ca68a |
\Windows\Installer\MSI8E97.tmp-\spusm.dll
| MD5 | e28c8d2fd64ba27d9b992fc325f26a9d |
| SHA1 | d9ed413265967b6ede8787aa8c5e5734a4ea1358 |
| SHA256 | 82d96714ac65e6e18e3da619cfd1367416bba5ed6d08db7bf312f8937f95f2ab |
| SHA512 | e2fcc5972c48fa1d26d2df0b2c5ed4e34d15d7f08eb35510989441b4083f30d19f6d5fc2652ac42d11a3877f333ad4408c0cb547ecf7b948e1f324f719cfc739 |
\Windows\Installer\MSI8E97.tmp-\srbs.dll
| MD5 | 7ec601a05f97c73fc2180e8c57efc9af |
| SHA1 | 7c99dcdcec211459b1d9d429e2ada2839876f492 |
| SHA256 | 982d12314935e25a016da0bec644bc4c8bd02b0984eb70b76e081b3562a6adf8 |
| SHA512 | 119e216313540f0fac30c1a8e531909dbdc8022735a9fb73b80c8bbbb2ff0548cdf911e640cd19827acff703c95b1d8db0ddf3ed61d056e9e4d4f437b8c88e7b |
\Windows\Installer\MSI8E97.tmp-\srbhu.dll
| MD5 | fcbe6dec3d2da2ac9fd2754cc9cf6ad9 |
| SHA1 | 7954bdf16f99bf843c5c8053a078813d87c94254 |
| SHA256 | 71688a7955124b644cb05833d8285b876c7ff336eb4478ce01e1f80b07f7b76e |
| SHA512 | 5975297ac6aaa7d85842079809f9be2ad57959da2687de4bb7aa0764bc16dd878c482a92d7c4a4ed484aa7683f60c90b870757165f79d7ae481b7f7897e94c39 |
\Windows\Installer\MSI8E97.tmp-\sppsm.dll
| MD5 | 787104ad9dea702d115883c489be54cb |
| SHA1 | b24680d170c610203df5e3d1d52b2b04f938dd56 |
| SHA256 | 934230fc9da4c6eac4b1f916baec075ac5faf1a70af14dcdb62d3d06ca878cd3 |
| SHA512 | 861147b8ed484a25a5ca9af8b7488896ee41dfd4eb57dafd4bb33455b03936c8fd930224fd9a1a0e8dcddf0fc33bc7adfc3ac48ca3ff430122f3ce18952fe312 |
\Windows\Installer\MSI8E97.tmp-\Smartbar.Personalization.Common.dll
| MD5 | 347b0b5d32b1a85b5450b08cfb6d2e75 |
| SHA1 | 7bfe1857974a6c6c3e882624d820311c1e3bf670 |
| SHA256 | 76a9f22039731c1fb3871876dd8c55d4ab75635367daa811ced5ed70eed950ac |
| SHA512 | d79edc2546249f71a19faa1ee4aebdfd2faa8b6b56615740c93023255c81716de6c4af484bde506f7dcd80b607d8804313589e58b05dd2448d5c1fca3cd39e92 |
\Windows\Installer\MSI8E97.tmp-\srut.dll
| MD5 | feba43763a9b7fe1c94d681055d10167 |
| SHA1 | 49d30dedf868accf07e6895e1699a4d751235fd0 |
| SHA256 | 0634fa964eba9baed92e2a935aef925fdaa921a35424b6ae9bfaaace932dc49d |
| SHA512 | 680116cfe66472c4d6ae9c94d74cd3fe8cef1c9beade27c19e58369c2c6f238f9e63019d7ea2b8b35689b7c0e812f2ee49d26a56e6972d3e21dc5f7312cf81ef |
\Windows\Installer\MSI8E97.tmp-\Smartbar.Infrastructure.Utilities.dll
| MD5 | 562ac9921d990126990c2f0bdce7081a |
| SHA1 | f395458d8e328cf4809385fef3e225d01f8a8fc0 |
| SHA256 | ef84e1ad9cf174a9ab0bba648b56f2ffd17f4cb4421902b61559b544d812e738 |
| SHA512 | f52a9a62ca7d810804289ffe0300919eea529f2e0d4d07709309e101087809a5a004437184f3a3518fcd286db18947d78ce00bafbcbbe7b62a8aca4cf8295208 |
\??\c:\Users\Admin\AppData\Local\Temp\pj9m_sgc.cmdline
| MD5 | fc7b9d51a502b6055811525e7b27c4cd |
| SHA1 | fc844039735bf461aac74916053515ccc2864ab6 |
| SHA256 | d882d62c57c4957e6790b34df5f6b67bab69572181b2ef4bb8fe2d4cce36b4d5 |
| SHA512 | 05fc35ae137c5039ed5de82cbff8d14cc0891e9be2be61756b8d34a9dcae6501b524019822ed0c78b1035e7ff7bc190dd5681cf561f3b883f63ac00d74153df6 |
\??\c:\Users\Admin\AppData\Local\Temp\pj9m_sgc.0.cs
| MD5 | 6f8e0c3c3b1b9a297b8ee6bfbb9c2a2c |
| SHA1 | 1dbab29ad6fb169fad90e963dd0c5290f27272fc |
| SHA256 | e0514048fd6f4169c41896332a243cf014a719e5fe217c5743fc3c7149db578a |
| SHA512 | 193fc4f01b6afb2a858f006eb7c5dfd6106d88b0b0e0f12b4c8c103a8bae270ff0d583886ec5af910ce4d50cb1ccfb54a14d27fd517b847a624d9ba79f688640 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC9260.tmp
| MD5 | 612553ad987e3c4eb9bbf5ff99c8f817 |
| SHA1 | f0d778c5063717e1e80f42db01bb135319057a9a |
| SHA256 | f0beb8512a7303b67c5310601cb113d87953cded9e78afc915c831981c65598d |
| SHA512 | 17fa8667ea1c0c815a29da245fb7f0b399bb5bad885cddd8d72d3685329073d2af6eff459771d5a20b92f140c7710e1076a7280680859a9a0e7fbeb667226c23 |
C:\Users\Admin\AppData\Local\Temp\RES9261.tmp
| MD5 | 3aede730ae405a78eaf5ce9211e8e146 |
| SHA1 | 549ebad7bd959f5f59ad471dbb80f3fd9ada79b7 |
| SHA256 | 4e0786709d399e988050c17f68888a692c8643df45bc7eacad8a803b285f395f |
| SHA512 | 30c2d98b8eb17dfce1721f7622ae15af1cc1221c5c3d550ed3511e55317585c7151a111d66a47a08587268842f82bb87720e49fa800154918393c45fd92a3fc4 |
C:\Users\Admin\AppData\Local\Temp\pj9m_sgc.dll
| MD5 | a93a6d33139fc8e4e7b8990b31ee9123 |
| SHA1 | e74390f432b6433bb23187a7a5ae70cab06a3039 |
| SHA256 | 37629fb7a01f9376e0b84f0adc31b60f5b827f6ebfebe93e6e59275efc5d5d81 |
| SHA512 | 564caf810ffe42277a0ee2a439059165331b817667ac298d2662b3bf9527bb6e0bc6929de2c325e2b81004cc1e51fc8959618c405313d8e9ccb6528abb78936d |
\Windows\Installer\MSI8E97.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll
| MD5 | 7868ed46c34a1b36bea10560f453598f |
| SHA1 | 72330dac6f8aed0b8fde9d7f58f04192a0303d6b |
| SHA256 | 5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176 |
| SHA512 | 0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 18b09095e19a2596b3502acaf62981db |
| SHA1 | 0a04507daad6b946198835844deb8388574e8750 |
| SHA256 | 5a1802ffe5b76321f2f88f327006ae3f7cd710394ff5f61aff57ec2d5edc910c |
| SHA512 | e46da8b93a350d452a1e25ec5d4b401b99d370932daa42023f609a655100f77567cec00ca7f6e63ad3b638fe59200beb8eb0d196f815e6b9ef13344fb4a684b9 |
\Windows\Installer\MSI8E97.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll
| MD5 | adb53ee43f74f430368449b98b2f6f86 |
| SHA1 | fb882d80da9ccf79c6817a492fbd686d4759bb41 |
| SHA256 | b7837a68ede7781286057de0b59b7bb9c7c29ff9e9ded32c7175cafe9de3b5ff |
| SHA512 | 8fc2cd5a585c8247274fbe8d53ac27faa1f2b0407d27e5e78d6917cfa94947ace2aa20ca670a5b87e3d7a939360691102ed9c7530ec997af1057064bcb9c085a |
\??\c:\Users\Admin\AppData\Local\Temp\hu9rztdy.cmdline
| MD5 | 26b93c4f2610c43ea0714b7cd90422fb |
| SHA1 | 13f8d6bc61a0534e69bad6722609e4b8898ca7b5 |
| SHA256 | 6a8634fd6379f5d593d6bca0ed3d9602498604ca5744439816a8f0dd7916039b |
| SHA512 | a2ce970161db089c232f9b23b3367e5879a7976e362b16d7b7e8c73d2e7eacc6acc4befe30057a5c336ef3eed2a5fe1a28738e18750c9cdd24c4b78a908ce0a2 |
\??\c:\Users\Admin\AppData\Local\Temp\hu9rztdy.0.cs
| MD5 | 14ac60821b7e9508914fdf584ef23f46 |
| SHA1 | 9bc6cb0f7ea31050962fe56398213a48c5097ffa |
| SHA256 | ed564c34b04178601638c4c2a9ac3c21ac83d4031976fbd467c42d8e1a7c7c1c |
| SHA512 | b3faf1282b570436807b403ebd7aead6e86dbcb61dd64cfba0bc25023ddfe2017434e7f2ba34c0e69974b6f28587d75448f6b9567814d93130e9c7c3b8d01cd5 |
C:\Users\Admin\AppData\Local\Temp\hu9rztdy.dll
| MD5 | 823a5f7b0feab2b6c831c0f90abe15ce |
| SHA1 | b0a1b3ee045c4f3783f0e9149abdc4245536e477 |
| SHA256 | fd62dfd148aa3b13c75178145fa054e1f703e1396baa3392fd547ce3a91fbb4f |
| SHA512 | 0b1b73933482c2f67655355d7fffe3daf13d5887911fb94ea3810c09cd916f32a73e308e4721d0c72660698bdce1d904e3a5c74f06d8af47059881813bad017d |
C:\Users\Admin\AppData\Local\Temp\RES9510.tmp
| MD5 | 0bc0b2ca46cc21ced1070f19805a1e23 |
| SHA1 | 7f8488b25b9b9deb9678ad9dc8851ce8852b850c |
| SHA256 | adb50b90ffb31ed44ab2b7970340fb45a815b7ff2e07c3f3ce5d0af17099fdc5 |
| SHA512 | 562aa3e053012e4a6e15ad1f65bd2c7656f4bcd9a5cc13bc231d842d15e3d03ff47ece0eb551c64fc6d0f5cf26e1b051fa469b012c6eaabb802c74bb4e1afbda |
\??\c:\Users\Admin\AppData\Local\Temp\CSC950F.tmp
| MD5 | deb13f715c915bc5b95e50c3edb5bf27 |
| SHA1 | 9362eadb383b4f235529cbb3341441aedcb88033 |
| SHA256 | eb164872b01f2992e8d5047bbed6ca5d0107de04612e54776e0a1485841d0534 |
| SHA512 | 12fdf04c756fb242fbbbe1732601e1ef435f9c95919a00be338e05bcc2b5e90cb7ab4c91037249c5c7e9db7922c5c33ed6380dcb77784b3f5e88f61814ddf973 |
memory/2880-260-0x00000000001A0000-0x00000000001E0000-memory.dmp
C:\Windows\Installer\MSIA120.tmp-\CustomAction.config
| MD5 | 796621b6895449a5f70ca6b78e62f318 |
| SHA1 | 2423c3e71fe5fa55fd71c00ae4e42063f4476bca |
| SHA256 | 09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84 |
| SHA512 | 081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9 |
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
| MD5 | bd135bb64f648337d86e6038f11caf24 |
| SHA1 | 9fc0375a9af7c3577843251a9d77c5a8ae587a54 |
| SHA256 | 908ce7a16026b741813f248baf0ef1b9e632c7c34225c2b5842965380b6e5dbf |
| SHA512 | e631cfb962d1c044f44cf1ceae730f1c91833ca38d1ee0181ac1227bafd29bdc0c5a4defca3d4ab40e64ea3e62fbe6b79a8c23737df6f93eaa03596752b2a135 |
memory/2880-423-0x0000000074890000-0x0000000074E3B000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
| MD5 | 5719ee7f6521ae142f0557f0706cded1 |
| SHA1 | a1d5694197827967aea5b3ccc88e2f91d465c283 |
| SHA256 | 0a2ae8f3e9aa552748cfeadaec055778487602e7f6d4a6c2a221fe1fd496bfaf |
| SHA512 | cde76dada9e798a746d7ae23ee189940a6b7660805267a9221501c5c911a89b298005f111622fae7c886e810e23f83b77d47fa75793d19441246eb775a2f2bf6 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\3C610B86-19DE-4757-B46A-871C9C27FF0APress.png
| MD5 | 2768222689e3585d609b5a2afc1ba52c |
| SHA1 | ee522df6b2e365857bf6be58ac7150cbc71cfc9c |
| SHA256 | 21ee471e79b0a646735e132bc1f0c48f464677127b105426e00b160a554de6b0 |
| SHA512 | 56527749dca471af92eb4166b2bb6f1ca4cbf07c8d7e1a201378467f1d08efe5fd913715bb995d35c7d511b2cbdc9469d79baae7ee4bab619e4e11753c3505e4 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
| MD5 | e6ab030a2d47b1306ad071cb3e011c1d |
| SHA1 | ed5f9a6503c39832e8b1339d5b16464c5d5a3f03 |
| SHA256 | 054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c |
| SHA512 | 4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163 |
memory/2056-1158-0x0000000000530000-0x0000000000556000-memory.dmp
memory/2056-1185-0x0000000000A70000-0x0000000000A90000-memory.dmp
memory/2056-1282-0x00000000033B0000-0x0000000003493000-memory.dmp
C:\Windows\assembly\tmp\Z49B1JT5\System.Data.SQLite.dll
| MD5 | c2e38bfe933c5bce36910fe1fb1d5067 |
| SHA1 | aac5ed2724e2f88c7af1a3bf56d73180ae709bb7 |
| SHA256 | 49a51063aaccc22a28590575417bdff40a67a06e6f2a67217b37af1b49fa6286 |
| SHA512 | 281225b5e7193270b27811224c70475fc9af47c5d05a7e98f6856ad6abccff084302d0ddb72868d6872eef2efaf2989645af5e596083bfb995f214182aa4184d |
C:\Windows\assembly\tmp\YBSBGLPC\Interop.SHDocVw.dll
| MD5 | 030a99f9594434ea83d27b33a95c4d5a |
| SHA1 | 230882058a1d50e4e8f7fa4bb3144dec506c5967 |
| SHA256 | 0fdc72a06cc54771f1b07293d2e914cded985d84833ed4bf952a665eb107b5a3 |
| SHA512 | 529d14374df0b455db055027f42ccf731ddf4b7bef8fc27bffa2ff5a46463dc6b3cacf75fd6356e325f075d7fb70ad0f8abd85feb75d00befd1c86aec857d7ee |
C:\Config.Msi\f768902.rbs
| MD5 | bd1ebf2883367279f4a1503abe12c64d |
| SHA1 | c804a76db34f079d06af2dbfe9c0d376d31b5376 |
| SHA256 | 620abcf98a6c03c4a8e3239ef90ee6f6673c861f7d2c6f5fa8a8a91d9797554c |
| SHA512 | 52a5d8f483e89193fc7c4fb0da6182ae28ac93a76acd9e631c494dddabfcc9d9766811fd8013222a1a886b0e4ed583682a54e4c215e2333704495a3947b228ac |
C:\Windows\Installer\MSIB0FB.tmp-\srprl.dll
| MD5 | d8fa7df1f2cd92ad701bc23f86d89b54 |
| SHA1 | 72160fd5ad639c5a9c44305b06c98eb637399d18 |
| SHA256 | 475a2c225258c571ae66c0178a83177bd5a59f4ce1be1f867e14e75614ad43e4 |
| SHA512 | a4d11c7f66325199f5c3a41cc37f32cf6ee828d790add1a6b77b9127e65243bb17dcc10b1cb2cbaac4e543bc329bd30e64919ffc0af3fd6088a672e08e10e992 |
C:\Users\Admin\AppData\Local\Smartbar\Application\ps0o-9wb.newcfg
| MD5 | 51417498b55cf9dd3d2b06acca131f8d |
| SHA1 | e29cf97632afc31c3f33e92ec11aba4ab6af279f |
| SHA256 | 09c4cf7783aaaf4d783a20d5d424e5d778dfa985cf24d9adab6a8615e5942ea9 |
| SHA512 | 2190da7f78ed76aed06ffabfdcfdff6f248ba7a1990bb80a4949a101626013c87048d5464487bcd0679c50d5019a26379f4f8691d0100ca08f7dfdd709417836 |
memory/2792-1471-0x0000000000F50000-0x0000000000F68000-memory.dmp
memory/2792-1470-0x0000000000F50000-0x0000000000F68000-memory.dmp
memory/2296-1525-0x0000000002810000-0x0000000002836000-memory.dmp
memory/2296-1524-0x0000000002810000-0x0000000002836000-memory.dmp
memory/1284-1552-0x000000001C2C0000-0x000000001CA66000-memory.dmp
memory/1284-1553-0x000000001D220000-0x000000001D9C6000-memory.dmp
memory/836-1580-0x00000000008D0000-0x00000000008F6000-memory.dmp
memory/836-1581-0x0000000000900000-0x0000000000926000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 55087b625b8e37d019de74b9b8721a84 |
| SHA1 | ffbd7e8e44ab409ebac26f3c84079aa4312c9f79 |
| SHA256 | c1905f625cf71c9ada58bad6c453dd3c964e10398e8c5a42b0bcc9b55b35d170 |
| SHA512 | 86acfb604ecf313d089a77d27e4246ba81928d28cd10ff6ddec7daf562869ed40c79ad12616d8e2fd02af6898220a94c66a2d4965fbf21913e32f21ffd3289fc |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 0b48dbbcae2eb2df1d6df05ab4da2609 |
| SHA1 | 32b6868804a3b80b1db18aa4ef43616257ecf087 |
| SHA256 | e3cf60693c5b1ac205f01bbd6aa13db89211f225ce03ae28ded9e1124d62aeaa |
| SHA512 | c255bc789cba406660f769ab24239250e914a6c10f133c4849e5f9b21e03fb0e53105b2668a3934d3bdf449948ee2a4573b32e2a7caec88a3484f46ff1ee5d11 |
C:\Windows\Installer\MSIB0FB.tmp-\Newtonsoft.Json.dll
| MD5 | 0e32f5229d5ee7d288b6b3969a51fcbc |
| SHA1 | 54c09f07930525786fcf08b9c7aca24185a68fc1 |
| SHA256 | e1ca33208030c858254249b2c9aa6d8541c2e875343b2997f2b2f9e4993c96f8 |
| SHA512 | 64e8499e668ea44397ed5ea009e3692b623d2ac01bdd43e460624fe0282a3398025e4e53282e0f0905062b60400f4c16a64933ed7667de942f1588dd936aebcb |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 40e2d13c33947c3fda69738991f68f35 |
| SHA1 | 13a02c045ac252630f00c7a20eec0b01deb4833a |
| SHA256 | 600a17f13e52d72d6681c40ed08c277911757ef6277c67a58bb0a902123fc4c4 |
| SHA512 | dcef10cd5413aea040a5dcc49c8507e3c4f96446de356f14ea3078c4ac101f76a57e4a27b693f3511530a628d5965bf5e788b702b055c7bb2fe4b325331d4367 |
C:\Windows\Installer\MSIB0FB.tmp-\srsl.dll
| MD5 | 6fc50184e3aad7f4df0231da697a9da8 |
| SHA1 | fef8608d31e8e1c16ca7db402fa352ee7231585b |
| SHA256 | 58e698c208cd6ad94d2da3511447a975605e2b49bbdb7b572863f318aaffe0cf |
| SHA512 | 626b0a4031571ca906311937583f646aebdc7aacd5afb5ddf66c2d45dbc335e026d337d4f5803c38ddd022b9e64c79b4dd30d094d5d01a669e99d6c6829650b4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
| MD5 | 988ea61855eab89ff1f69e884a6bee04 |
| SHA1 | 5d4792d34fe3939301eefa968ab5b5e8d415aec1 |
| SHA256 | 010436597702c768cd6f56b169a523c69a64459e5ef04fefbeaaa1bd087a6fe1 |
| SHA512 | eb8df971b4dfacb0772571147e32a191161848464d24ab3be690f7308378004259c03375618ffbb332316b8bf21f637ce7fe694322590d9b56af65695e3d3b9f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Search.lnk
| MD5 | 3d5062b26fddc8f2c4278cb8fed34d36 |
| SHA1 | d4edd54e2ca12e30e4d1d724146293a15bbe07cf |
| SHA256 | 70415b734f95e6e629d53069f9443992f303b05055f49c5b4f9b0671b4907ba6 |
| SHA512 | 7548487f9972b131ec6d2fd14a9251985301687157809184d1e48318b957ec7cfce2ae783d00097dc118e933d65758bf712f7be333e2f9e7337f0aa0108c52a7 |
C:\Windows\Installer\MSIB0FB.tmp-\Interop.NetFwTypeLib.dll
| MD5 | a084b0c082ec6c9525336b131aeba39a |
| SHA1 | 45db1f5cc54a033e5df460b93edaa5d23a39ced9 |
| SHA256 | 7cba99a0f2a5b233e341f691c2aa6cb4ca10065425fc478b56fa468d6b0af54d |
| SHA512 | 297ba29e1ee4300f1a11620d475e67a9747fd9affabeee5fb5151b07c931c8f5c5af12b956e2ab7bd7dc6ebb1dbc298f5d56fa419f5fe2e3646053c0e515e29b |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\user.config
| MD5 | 616ab42083eede36bc6fffcd2f82470b |
| SHA1 | 02ef73bf49d43a94f8e1f9c95d31f8de39a779d0 |
| SHA256 | 1e0d18d5ca9ddc69300a216c588538a3d28feb5c9efc72d9119f32e213410f8f |
| SHA512 | d6e9de9558f0db667b2755b4b2d8dc5caa0371ead9caa7d7ce7c27a8d644670bd608798fdcf8d2ab1503233bff6ad217cbd40d093fb166c3068f3955a7644246 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\3xrntfvx.newcfg
| MD5 | 9299591694196cf4b651494f079f354a |
| SHA1 | c853427aacdfdc07734215182134e12220646da8 |
| SHA256 | f64ae9b27986f7b21a49b8bcfbff76be10f25e6633010e378bb572d1a907fff1 |
| SHA512 | d729ed39b7981b7127b2c17553c2daaa7594409dcd5539dfe6c7c94a46d319bf8f7424ba1c8b1c91faa7dc387ce0b98bcf9b6fe4b567f21a17e8bad16338a00d |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\vkbdqyww.newcfg
| MD5 | a73d8359158ae5c7ea2ef01f99b1199c |
| SHA1 | 87b3851d602b3b8d536772419a51dd3c0bd31cb6 |
| SHA256 | 8d0685f655667024ffc0c7e677345531d072c000957d5ec8efc6502594c98202 |
| SHA512 | 209deb08a61b07fb133dd8265b2a3ddf5fd2bbf6d096f787e6f74d864a6ac7419861c1fe330e163f1e35d38402e51e0dc99fd57a92a560bd0205984b102b68db |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data.temp
| MD5 | 39a5c7009b80b2d130410e462715a860 |
| SHA1 | f498cc6a5b562ebbe0a8ae71a0c10423ae199507 |
| SHA256 | 9a8f8f69502ba0bd8b6c59d09990b22af89f18f5d6ee80c35233f869d604686f |
| SHA512 | 638fbdfeb965f6b4eaac5d032a2c1f625b9d0f7400010a44c23afcc8a9d37697e80fd26b5520d13c4588ff60e8109c9d099daa943e61ad66b5bf0ad6e588961c |
memory/2880-2558-0x0000000074890000-0x0000000074E3B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso75CD.tmp\Ping.dll
| MD5 | b0e9ba9dab60cb7a9fd886dcf440cac3 |
| SHA1 | c416f6e9ba379feb9008c775d8456514444b66da |
| SHA256 | 52d52e5a1e1cec3e2db08555a8b2651f636cf76c6a24e32aa446595365cf193f |
| SHA512 | 90de38a7c57f59e8deb17c2473a215e2f052aee909a47ef37a88fefcfaeb5e6b54d462a39bcac4d0f1aa88d1806ba9e1237d0eeba98f7a0479bd6825e841f043 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-29 03:35
Reported
2024-11-29 03:38
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Browser Infrastructure Helper = "C:\\Users\\Admin\\AppData\\Local\\Smartbar\\Application\\Smartbar.exe startup" | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\f76ed20.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76ed22.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76ed1d.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\srsbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\Smartbar.GUI.Controls.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\Newtonsoft.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\srus.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\srpdm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\Smartbar.Resources.SocialNetsSharer.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\Smartbar.Personalization.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF130.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\Smartbar.Resources.LanguageSettings.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF130.tmp-\spsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\Newtonsoft.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\Microsoft.Practices.EnterpriseLibrary.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\Smartbar.Infrastructure.BusinessEntities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF130.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF130.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\spbl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\Smartbar.Resources.SocialNetsSharer.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF130.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF130.tmp-\MACTrackBarLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF130.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\spusm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\Smartbar.Resources.LanguageSettings.resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\spusm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\Smartbar.Infrastructure.BusinessEntities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\MACTrackBarLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF130.tmp-\Smartbar.Infrastructure.BusinessEntities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\Smartbar.Resources.SocialNetsSharer.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF130.tmp-\Smartbar.Personalization.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF130.tmp-\srut.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF130.tmp-\Smartbar.Resources.SocialNetsSharer.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\spsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\assembly\tmp\JZBRNH60\Interop.SHDocVw.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\srbhu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF130.tmp-\spusm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF130.tmp-\srpdm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF130.tmp-\Smartbar.Resources.LanguageSettings.resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF130.tmp-\sppsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI889.tmp-\sipb.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76ed20.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\srus.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\srns.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI128B.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AE07101B-46D4-4A98-AF68-0333EA26E113} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Smartbar.exe = "9999" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{328AAE04-2F14-3F34-91E5-03B5DB97E915}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{36839DA9-AFF9-3D2A-AA97-D2D9B74DBC5B}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0D873270-8F86-3AE0-8173-7A61008EBF07}\7.0.3300.0\Class = "mshtml._HTMLCaptionFlag" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2E9-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLTableSectionClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F28C-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLScriptElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\1.0.0.0\Assembly = "SmartbarInternetExplorerExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=64637c62d0471340" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{87845C39-C387-384B-99ED-3E3701F86C1D}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F4B8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F269-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F3DC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F630-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F26F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F28C-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\1.0.0.0\RuntimeVersion = "v2.0.50727" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\InprocServer32\Assembly = "SmartbarInternetExplorerBHO, Version=1.0.0.0, Culture=neutral, PublicKeyToken=64637c62d0471340" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{794D9F34-06BA-3B05-8C7C-C62CA154BE00}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34A226E0-DF30-11CF-89A9-00A0C9054129}\1.1.0.0\RuntimeVersion = "v2.0.50727" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F6BC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLNamespaceClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F0EBA606-4E8D-3878-8A17-DDD69878CC4A}\7.0.3300.0\Class = "mshtml._htmlTabIndex" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4B8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2E4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F245-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A982E8A8-31B6-3CB2-81AC-2C185D16EEFD}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F270-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F402-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\InprocServer32 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{11B2663E-7AE0-3DF6-9847-F53250984108}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E107CA26-9F34-3EA3-A2F9-C8844CC4DE75}\7.0.3300.0\Class = "mshtml._styleFontWeight" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F4CB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLElementCollectionClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IESmartBar.IESmartBarBandObject\CLSID\ = "{E041E037-FA4B-364A-B440-7A1051EA0301}" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{79CD6E7C-63CA-39D8-B871-342E17329B46}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B9C044FA-B26D-3609-9137-4ACDD2C00907}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1384875E-2884-3284-8992-AAAD8152B0FA}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5DD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{163BB1E1-6E00-11CF-837A-48DC04C10000}\InprocServer32\Class = "mshtml.HTMLLocationClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F48A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\ = "IESmartBar.BandObjectAttribute" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{425E7597-03A2-338D-B72A-0E51FFE77A7E}\1.0.0.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\InprocServer32\ = "mscoree.dll" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{35F0ED97-3328-3F26-958A-A8E5FAB21405}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A93A6C9E-D601-3E81-81BF-6C1567B89288}\7.0.3300.0\Class = "mshtml.tagSIZE" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\Implemented Categories | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D9FB2625-1C86-34B2-BF13-E4BBF98C23E9}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F402-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{656130CD-753E-3DDC-893C-D6975C1EEED9}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2DF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IESmartBar.DockingPanel | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BD371A4C-17BD-3FE8-ABCE-2515081859E2}\7.0.3300.0\Class = "mshtml._htmlEndPoints" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B98EACE7-0808-3582-B766-AECB9D3BFAE6}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FD436F4D-7C7B-32A4-A6B4-97DDDBB938D1}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5F842F6B-AE40-34F2-90A3-29C9BA8C4AE4}\7.0.3300.0\Class = "mshtml._frameScrolling" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BBFE60AF-DC3D-3951-8F95-947198A0442A}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8A507758-725A-3C67-9324-D93FD68ECC5A} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F3CE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F277-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLLinkElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F5D8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F284-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F316-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{46B186E7-5F33-3B60-8B70-9D95A04C1A59}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E937FBB3-7ECA-3FA9-95E2-FB9266F8A306}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F37F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F251-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F3293420DFE159710E17A3B257DDD75C
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIF130.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259453390 1 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yuxdtbuo.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8A2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF8A1.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2qnekigq.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBED.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFBEC.tmp"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI889.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259459256 5 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI128B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259461798 9 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vk2buss8.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13C0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC13BF.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pqzs46i6.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES143D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC143C.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
"C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ehwkjilt.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES361F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC361E.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tv0cmbok.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36E9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC36E8.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yowep-pq.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3757.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3756.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mzd1swsi.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37A5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC37A4.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uzsoy4hw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3860.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC385F.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lbzt7udn.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES389E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC389D.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kd2sjovv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ndu3v6ej.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38DD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC38DC.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38FC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC38FB.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9dnblq3n.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A72.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3A71.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nddiwyy9.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B5C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3B5B.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p1pkadk5.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AB7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4AB6.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wfvv0nj9.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C1E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4C1D.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yezmfou1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DA4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4DA3.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cloud-search.linkury.com | udp |
| US | 167.71.184.143:80 | cloud-search.linkury.com | tcp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.83:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | feed.snapdo.com | udp |
| US | 172.232.31.180:80 | feed.snapdo.com | tcp |
| US | 8.8.8.8:53 | ww99.snapdo.com | udp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 8.8.8.8:53 | ww12.snapdo.com | udp |
| US | 75.2.73.197:80 | ww12.snapdo.com | tcp |
| US | 8.8.8.8:53 | csc3-2010-crl.verisign.com | udp |
| SE | 192.229.221.95:80 | csc3-2010-crl.verisign.com | tcp |
| US | 8.8.8.8:53 | pool.ntp.org | udp |
| US | 8.8.8.8:53 | pool.ntp.org | udp |
| US | 8.8.8.8:53 | pool.ntp.org | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.187.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.146:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | au.snapdoapp.com | udp |
Files
\Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll
| MD5 | 3cf46bae7e872a661721b0894bc076e2 |
| SHA1 | eaaa0a35e284908dd21cf245a38efe9d2e4c7532 |
| SHA256 | 7ca73cfb8d0502b14b657216b8735394cbd08aa8e4266fb9e86ad84ae159b043 |
| SHA512 | 47065a1cb81b41cab7c98488609470b308c708ba73c0e11c3f06901fde008b280f3b75ee825c12e4681aefbd8a43840e0319b43bbab7fe68b24c30926d0ce9f2 |
\Users\Admin\AppData\Local\Temp\smartbar\GuidCreator.dll
| MD5 | 4876414d51fe01bd8525df2f8acd35d6 |
| SHA1 | f9435c39e3029276e71a971e48f68d3f0298fe11 |
| SHA256 | 4bda5a964065b918ce70a27914056b17a95e3f8002028b394ecf8ff2d7cebf3d |
| SHA512 | d18afa3d806fd056836beb5a0822156402afe3455567d41f9b27d578980d5ae341273cadf5dff3175a799e791822e07eede03e3c0c143604f980f7876cd2fc0a |
memory/2076-16-0x0000000000B20000-0x0000000000B60000-memory.dmp
memory/2076-17-0x00000000742C1000-0x00000000742C2000-memory.dmp
memory/2076-21-0x00000000742C0000-0x000000007486B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi
| MD5 | e5314db579a141f6a5204f70e7073de0 |
| SHA1 | 3d2e28be7594fd754213e3ea19b4f900f6634c91 |
| SHA256 | 84263b76687ff69f306579fb3f05f3a0528db029cf0f2f60eddc22549545408d |
| SHA512 | f18c446d8e388759c12527ca970dea3c24af954d199c39027eae4ad8c97df7c902f24845ab0ee0ffd9ad9ee6768c43169b11fec47bd3246cd2e9c7e8da44993a |
C:\Users\Admin\AppData\Local\Temp\CabEE38.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarEE69.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Windows\Installer\MSIF130.tmp
| MD5 | 44c66c7febaf067ac2f96e3bb643a5b3 |
| SHA1 | bc83eb57ebb44206b467c4147a7f82d52662e9b5 |
| SHA256 | 641fae557b683029787befda2a2ed5251b19a4c11fc19e3dbf2cd97459e7e383 |
| SHA512 | 41ce527bd09ae6b3126947197c94169121dcffe79b9db624a17a3a45d4e25a2f53dde0a686b4329b9e2d5c33bbbc6d6b9cc840b97731eac38ae31254dfd3364b |
\Windows\Installer\MSIF130.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 34d4a23cab5f23c300e965aa56ad3843 |
| SHA1 | 68c62a2834f9d8c59ff395ec4ef405678d564ade |
| SHA256 | 27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c |
| SHA512 | 7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c |
\Windows\Installer\MSIF130.tmp-\Smartbar.Installer.CustomActions.dll
| MD5 | 2120dbb0481374885af660346f503b9b |
| SHA1 | 0dad9f77c93325cbe2499efac70ebbbfd8e1a4b3 |
| SHA256 | ef0e1d3a5f58e797c47d1ca2999e6ab1e94520c3816a8264874920c26c9ae474 |
| SHA512 | 46966d2eec899fbd48b8aaf5e72555cec3b2f1bc2481c2eb014d98078aa6b6e825144718fbe2aa7b23d816462645186abbfc2ebdc7a4f331d5087999f21ca68a |
\Windows\Installer\MSIF130.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll
| MD5 | 5dc8a7062040e05ad36bd83246954b05 |
| SHA1 | f6807be0413724076c8c384576ad9a5bc1413e8c |
| SHA256 | d00f229036a6ea19e05c9838f2827fdb22b3003af4c7c97b37abf2ea36236dfc |
| SHA512 | 43cda9b7a57ae292b71df7a8f02c359b486a82162f92e2d8a7449f2b9c835a7ba44177477a7e0763a5698a4b2d9a025f8786c054950db3fab017edfdf4c17f12 |
\Windows\Installer\MSIF130.tmp-\srbs.dll
| MD5 | 7ec601a05f97c73fc2180e8c57efc9af |
| SHA1 | 7c99dcdcec211459b1d9d429e2ada2839876f492 |
| SHA256 | 982d12314935e25a016da0bec644bc4c8bd02b0984eb70b76e081b3562a6adf8 |
| SHA512 | 119e216313540f0fac30c1a8e531909dbdc8022735a9fb73b80c8bbbb2ff0548cdf911e640cd19827acff703c95b1d8db0ddf3ed61d056e9e4d4f437b8c88e7b |
\Windows\Installer\MSIF130.tmp-\spusm.dll
| MD5 | e28c8d2fd64ba27d9b992fc325f26a9d |
| SHA1 | d9ed413265967b6ede8787aa8c5e5734a4ea1358 |
| SHA256 | 82d96714ac65e6e18e3da619cfd1367416bba5ed6d08db7bf312f8937f95f2ab |
| SHA512 | e2fcc5972c48fa1d26d2df0b2c5ed4e34d15d7f08eb35510989441b4083f30d19f6d5fc2652ac42d11a3877f333ad4408c0cb547ecf7b948e1f324f719cfc739 |
\Windows\Installer\MSIF130.tmp-\srbhu.dll
| MD5 | fcbe6dec3d2da2ac9fd2754cc9cf6ad9 |
| SHA1 | 7954bdf16f99bf843c5c8053a078813d87c94254 |
| SHA256 | 71688a7955124b644cb05833d8285b876c7ff336eb4478ce01e1f80b07f7b76e |
| SHA512 | 5975297ac6aaa7d85842079809f9be2ad57959da2687de4bb7aa0764bc16dd878c482a92d7c4a4ed484aa7683f60c90b870757165f79d7ae481b7f7897e94c39 |
\Windows\Installer\MSIF130.tmp-\sppsm.dll
| MD5 | 787104ad9dea702d115883c489be54cb |
| SHA1 | b24680d170c610203df5e3d1d52b2b04f938dd56 |
| SHA256 | 934230fc9da4c6eac4b1f916baec075ac5faf1a70af14dcdb62d3d06ca878cd3 |
| SHA512 | 861147b8ed484a25a5ca9af8b7488896ee41dfd4eb57dafd4bb33455b03936c8fd930224fd9a1a0e8dcddf0fc33bc7adfc3ac48ca3ff430122f3ce18952fe312 |
\Windows\Installer\MSIF130.tmp-\Smartbar.Personalization.Common.dll
| MD5 | 347b0b5d32b1a85b5450b08cfb6d2e75 |
| SHA1 | 7bfe1857974a6c6c3e882624d820311c1e3bf670 |
| SHA256 | 76a9f22039731c1fb3871876dd8c55d4ab75635367daa811ced5ed70eed950ac |
| SHA512 | d79edc2546249f71a19faa1ee4aebdfd2faa8b6b56615740c93023255c81716de6c4af484bde506f7dcd80b607d8804313589e58b05dd2448d5c1fca3cd39e92 |
\Windows\Installer\MSIF130.tmp-\srut.dll
| MD5 | feba43763a9b7fe1c94d681055d10167 |
| SHA1 | 49d30dedf868accf07e6895e1699a4d751235fd0 |
| SHA256 | 0634fa964eba9baed92e2a935aef925fdaa921a35424b6ae9bfaaace932dc49d |
| SHA512 | 680116cfe66472c4d6ae9c94d74cd3fe8cef1c9beade27c19e58369c2c6f238f9e63019d7ea2b8b35689b7c0e812f2ee49d26a56e6972d3e21dc5f7312cf81ef |
\Windows\Installer\MSIF130.tmp-\Smartbar.Infrastructure.Utilities.dll
| MD5 | 562ac9921d990126990c2f0bdce7081a |
| SHA1 | f395458d8e328cf4809385fef3e225d01f8a8fc0 |
| SHA256 | ef84e1ad9cf174a9ab0bba648b56f2ffd17f4cb4421902b61559b544d812e738 |
| SHA512 | f52a9a62ca7d810804289ffe0300919eea529f2e0d4d07709309e101087809a5a004437184f3a3518fcd286db18947d78ce00bafbcbbe7b62a8aca4cf8295208 |
\??\c:\Users\Admin\AppData\Local\Temp\yuxdtbuo.cmdline
| MD5 | 33a6e7a16cdca3843919beae3d9ed8d0 |
| SHA1 | 4fbd194849795e62bb9cbeaa8c6517ca74fa0f1e |
| SHA256 | b6f5851bf8012e5543ff51df37ef774bdaf633a234a938ebabfcdf5602ea07f6 |
| SHA512 | 2ffbf0446075dfee5574c6501e091b509d9b11735f6848dc190173bfca55e1bc21d3d4baee9ec365023c78dfec62b33e7c6c9e7f7362b0186cc1581b124000b2 |
\??\c:\Users\Admin\AppData\Local\Temp\yuxdtbuo.0.cs
| MD5 | 6f8e0c3c3b1b9a297b8ee6bfbb9c2a2c |
| SHA1 | 1dbab29ad6fb169fad90e963dd0c5290f27272fc |
| SHA256 | e0514048fd6f4169c41896332a243cf014a719e5fe217c5743fc3c7149db578a |
| SHA512 | 193fc4f01b6afb2a858f006eb7c5dfd6106d88b0b0e0f12b4c8c103a8bae270ff0d583886ec5af910ce4d50cb1ccfb54a14d27fd517b847a624d9ba79f688640 |
C:\Users\Admin\AppData\Local\Temp\RESF8A2.tmp
| MD5 | 2cba79e8a557b7d8a4c33255a6429b8e |
| SHA1 | 6acbe071b5adf503809d9b115a888dec88f9a542 |
| SHA256 | 8e07bde5b9e148f75a64bc313e9301319ca241c1ff12d35ecf0ca6b14843624e |
| SHA512 | 9d31637ef6c6cdeeb74428c5e1b0b6a6295de625ed3ea38839a9a0427fd479aca7d8bd3f5ce67abdb7852d185e2fd61366f4372b02c945f0757528b43d545032 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCF8A1.tmp
| MD5 | 4f1aed363ca88fe422cb312f45884800 |
| SHA1 | e5a2da2fb8910b46ee85d85057df03cd5ee3f907 |
| SHA256 | 28502e8eddef2fae9493077d9e8412eb46a3dfc97091f0d5d28e8290c1e2ba6f |
| SHA512 | 3cdcce49d1d22cf8504704346aaa4ba5d1d2dcf46e6c83533128ca41e8d7f3c88d89ef59d945b9632647d3e2866dc1307f2bbca3e3c308badd2790cfb9f65f04 |
C:\Users\Admin\AppData\Local\Temp\yuxdtbuo.dll
| MD5 | c1a6474e7f7a09d6a1ba0ade21e1dcf9 |
| SHA1 | 435eeebb51a6bd1dbea7ca9e2f190a676a33e80b |
| SHA256 | 9cf81251f582d9dd0f4a513534a2c5f5d28d62f6d9e9c4a89b1eb7615124aab6 |
| SHA512 | 5e7f0f3606ab15b5d241fdcf7c6d00c8d1c1391453b3760eb42db4e7f2211329a41f5594a373559b12cbb6f4d2c0b0dd11fda896a6e371d5e8d1785df9de8aac |
\Windows\Installer\MSIF130.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll
| MD5 | 7868ed46c34a1b36bea10560f453598f |
| SHA1 | 72330dac6f8aed0b8fde9d7f58f04192a0303d6b |
| SHA256 | 5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176 |
| SHA512 | 0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4a70c37a0309e79811fd926e2ee18e36 |
| SHA1 | d9f3e4b74c99c6b18126090dfb52c2b240ae2d5d |
| SHA256 | 2ee910cfe151cf064981c52407752439e39190e27488f7a50f996711f09b9f8b |
| SHA512 | cde16f5e15e5f69a694fcf5b2e6248fd9c7421d6a934390b8ce4b6bc8ebfadf8f73dd402244197ee6ec6dd8b913a3f28dea218e7d4faf1e475c7c40d5b799d58 |
\Windows\Installer\MSIF130.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll
| MD5 | adb53ee43f74f430368449b98b2f6f86 |
| SHA1 | fb882d80da9ccf79c6817a492fbd686d4759bb41 |
| SHA256 | b7837a68ede7781286057de0b59b7bb9c7c29ff9e9ded32c7175cafe9de3b5ff |
| SHA512 | 8fc2cd5a585c8247274fbe8d53ac27faa1f2b0407d27e5e78d6917cfa94947ace2aa20ca670a5b87e3d7a939360691102ed9c7530ec997af1057064bcb9c085a |
\??\c:\Users\Admin\AppData\Local\Temp\2qnekigq.cmdline
| MD5 | 8d812b80d5c84a87cd29d16b4c04c8e4 |
| SHA1 | 24cd6ca96ad7174b1397630f303df3ed32e4a22c |
| SHA256 | e90732d579379cd5fa19bea1896f186b8b05a7913be8466fadc0165ad94d2ec9 |
| SHA512 | 2f2e3ddb8a674a02f873fc0b241f417b2190194c4bc557c324fdea8dc3398f85ee33f2838c7de54852cf764620910cd27dca8ebd8666d3ea8d793bae05358d5e |
\??\c:\Users\Admin\AppData\Local\Temp\2qnekigq.0.cs
| MD5 | 14ac60821b7e9508914fdf584ef23f46 |
| SHA1 | 9bc6cb0f7ea31050962fe56398213a48c5097ffa |
| SHA256 | ed564c34b04178601638c4c2a9ac3c21ac83d4031976fbd467c42d8e1a7c7c1c |
| SHA512 | b3faf1282b570436807b403ebd7aead6e86dbcb61dd64cfba0bc25023ddfe2017434e7f2ba34c0e69974b6f28587d75448f6b9567814d93130e9c7c3b8d01cd5 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCFBEC.tmp
| MD5 | 2924b108f836fcb04e26bdb52a78bc12 |
| SHA1 | d86183b3e19e587cadb8dc1d418b7956d3328bbb |
| SHA256 | 8951587d8bcd64064fc6e004701b8ee9e5e263475f06f6099f5db81248f349c2 |
| SHA512 | 6fa493132e1e7abc1ac9c0240c258c2c5a943d47627eadf8c53bade7e9afe5965936c5a9a5684ef441573c7aa8fe6a234cf4fe8ed7ec504b6db583f7a939a9df |
C:\Users\Admin\AppData\Local\Temp\RESFBED.tmp
| MD5 | e8940ef448bb3937aa70ebf385356011 |
| SHA1 | 45f36b7bde08c0d4441bc461f2724be3713a91b0 |
| SHA256 | 74739b34f180b24b2d34c89129ca006b858159f7ef7dbdf5f2ef89ba25ddc0c8 |
| SHA512 | 7d470f808258d80a29ab966f8e50c8854cf9d5365c3168f57fdf04970e47324343ba29fe4734a6c9875534ca37fd5a3a9b1012ed651420f5301ab1aebb835ddd |
C:\Users\Admin\AppData\Local\Temp\2qnekigq.dll
| MD5 | f2817d95e536ca9aeb01ca295e4820aa |
| SHA1 | 879428a2f6b84dc1dd06fb8fa2886366fafacb9b |
| SHA256 | e1b3538d7a6164dba2d73dc327e1a83f29f851aca81faeebc0e320bba069f28b |
| SHA512 | 769c35239f87190de0b56f44799eacb123e11a37aafcc262148e0046b28e692628611ad4e38f545d7fdfb099059a8bc8b4725328bfffc6cadc28384616176fac |
memory/2076-249-0x0000000000B20000-0x0000000000B60000-memory.dmp
C:\Windows\Installer\MSI889.tmp-\CustomAction.config
| MD5 | 796621b6895449a5f70ca6b78e62f318 |
| SHA1 | 2423c3e71fe5fa55fd71c00ae4e42063f4476bca |
| SHA256 | 09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84 |
| SHA512 | 081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9 |
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
| MD5 | 55344bf7bbe02b50262d0452c4e2d008 |
| SHA1 | 766127c20bb683fecddfe6ff84be3356b7d82502 |
| SHA256 | fd922a13fd75fc1828c46dbad71e347ff6c4db9b6267b849f799f8b35b3fd293 |
| SHA512 | e726a5dbfc5d0788a2d2ee1b2e2b8fda76e03adcfd518ab6ff2feebfc2a96d9d9156d175ad1483208004a2e1595c7bd34e7bab0038d786225b4e570cf337106e |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
| MD5 | 5719ee7f6521ae142f0557f0706cded1 |
| SHA1 | a1d5694197827967aea5b3ccc88e2f91d465c283 |
| SHA256 | 0a2ae8f3e9aa552748cfeadaec055778487602e7f6d4a6c2a221fe1fd496bfaf |
| SHA512 | cde76dada9e798a746d7ae23ee189940a6b7660805267a9221501c5c911a89b298005f111622fae7c886e810e23f83b77d47fa75793d19441246eb775a2f2bf6 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\3C610B86-19DE-4757-B46A-871C9C27FF0APress.png
| MD5 | 2768222689e3585d609b5a2afc1ba52c |
| SHA1 | ee522df6b2e365857bf6be58ac7150cbc71cfc9c |
| SHA256 | 21ee471e79b0a646735e132bc1f0c48f464677127b105426e00b160a554de6b0 |
| SHA512 | 56527749dca471af92eb4166b2bb6f1ca4cbf07c8d7e1a201378467f1d08efe5fd913715bb995d35c7d511b2cbdc9469d79baae7ee4bab619e4e11753c3505e4 |
memory/2076-570-0x00000000742C0000-0x000000007486B000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
| MD5 | e6ab030a2d47b1306ad071cb3e011c1d |
| SHA1 | ed5f9a6503c39832e8b1339d5b16464c5d5a3f03 |
| SHA256 | 054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c |
| SHA512 | 4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163 |
memory/2672-1151-0x0000000000540000-0x0000000000566000-memory.dmp
memory/2672-1178-0x0000000000570000-0x0000000000590000-memory.dmp
memory/2672-1275-0x0000000003250000-0x0000000003333000-memory.dmp
C:\Windows\assembly\tmp\4ABHQHGU\System.Data.SQLite.dll
| MD5 | c2e38bfe933c5bce36910fe1fb1d5067 |
| SHA1 | aac5ed2724e2f88c7af1a3bf56d73180ae709bb7 |
| SHA256 | 49a51063aaccc22a28590575417bdff40a67a06e6f2a67217b37af1b49fa6286 |
| SHA512 | 281225b5e7193270b27811224c70475fc9af47c5d05a7e98f6856ad6abccff084302d0ddb72868d6872eef2efaf2989645af5e596083bfb995f214182aa4184d |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
| MD5 | 7b6bfe42db5ded1120ebc1d2296238bb |
| SHA1 | ccba3f07255d6faba228af85bd4e8822f104b2db |
| SHA256 | 3a221627582ddb37204e0793e71285cc6cd7ed20b1d95e462ac1bf84097cc56a |
| SHA512 | cd15cf0a6143b71f1905e83ea9ba282bc77329f1411e56baf31997436c06ad169b9a5161e3db75a09e0a00afda243c807683ab5ce0f07591d2f4838553808546 |
C:\Windows\assembly\tmp\JZBRNH60\Interop.SHDocVw.dll
| MD5 | 030a99f9594434ea83d27b33a95c4d5a |
| SHA1 | 230882058a1d50e4e8f7fa4bb3144dec506c5967 |
| SHA256 | 0fdc72a06cc54771f1b07293d2e914cded985d84833ed4bf952a665eb107b5a3 |
| SHA512 | 529d14374df0b455db055027f42ccf731ddf4b7bef8fc27bffa2ff5a46463dc6b3cacf75fd6356e325f075d7fb70ad0f8abd85feb75d00befd1c86aec857d7ee |
C:\Config.Msi\f76ed21.rbs
| MD5 | 201ffef35639216d3ef1e9070b5e40e6 |
| SHA1 | dd0fdf02bdf6ea46820f86fd0fe6b5ed6df6d954 |
| SHA256 | 11de6a8a77284898006af2532f513a248fcab1b26e6e831c30dfd16b91d265bb |
| SHA512 | 545178a47057b5514bf035aeb110b636bda56568d6d1ee2f53517eec868df72b2b162749ca244a763717b01ba3dff8225687be8272c5f9c27f83cb94796c5a65 |
C:\Windows\Installer\MSI128B.tmp-\srprl.dll
| MD5 | d8fa7df1f2cd92ad701bc23f86d89b54 |
| SHA1 | 72160fd5ad639c5a9c44305b06c98eb637399d18 |
| SHA256 | 475a2c225258c571ae66c0178a83177bd5a59f4ce1be1f867e14e75614ad43e4 |
| SHA512 | a4d11c7f66325199f5c3a41cc37f32cf6ee828d790add1a6b77b9127e65243bb17dcc10b1cb2cbaac4e543bc329bd30e64919ffc0af3fd6088a672e08e10e992 |
C:\Users\Admin\AppData\Local\Smartbar\Application\7cx96mgo.newcfg
| MD5 | 51417498b55cf9dd3d2b06acca131f8d |
| SHA1 | e29cf97632afc31c3f33e92ec11aba4ab6af279f |
| SHA256 | 09c4cf7783aaaf4d783a20d5d424e5d778dfa985cf24d9adab6a8615e5942ea9 |
| SHA512 | 2190da7f78ed76aed06ffabfdcfdff6f248ba7a1990bb80a4949a101626013c87048d5464487bcd0679c50d5019a26379f4f8691d0100ca08f7dfdd709417836 |
memory/704-1506-0x000000001B2D0000-0x000000001B2E8000-memory.dmp
memory/704-1507-0x000000001B2D0000-0x000000001B2E8000-memory.dmp
memory/1008-1560-0x0000000002570000-0x0000000002596000-memory.dmp
memory/1008-1561-0x0000000002570000-0x0000000002596000-memory.dmp
memory/2104-1588-0x000000001BFD0000-0x000000001C776000-memory.dmp
memory/2104-1589-0x000000001CF30000-0x000000001D6D6000-memory.dmp
memory/1540-1616-0x0000000000780000-0x00000000007A6000-memory.dmp
memory/1540-1617-0x0000000000900000-0x0000000000926000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 1faf3f38f9fe027d3827fc84776f2416 |
| SHA1 | fa1e758c22581ec72d3a098f2aaad00bfc34fe79 |
| SHA256 | 479da90bd0392f89cd1c655c0d51cb8ed5fdee2d8f9e804b9dba9c43ce53a68a |
| SHA512 | 5f313bc9d9cc0d15368103138d54f56455c214c8fcc5b8ba6fcb65631d392babe4216d5378bc025b0cee5442c9accdaa290bfe5832d79142d70fac442a2ebedd |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 0e62316be9a0e8b2b4861e7b1c8e6f8d |
| SHA1 | 68dd1cf1ed3deb24f64d9a4ad7cd14f76fb1a669 |
| SHA256 | 16f3c42747ab6e8cfc8fee99dfda998e8f770b3714c1933431bc175a7168eae1 |
| SHA512 | 11a6388c28ec5e4396c2c9aeacc031a10db2f7bcf154ac0f02913a8bd1bd58d4d3e476ee9d42711dc637e3a0e27ed60c233eb2aaed90c70a42ff8b9c52087887 |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 3e6b1cde817049f4cd50599149975222 |
| SHA1 | a34266eca7ab6a5a99d5b55faacd03f82a0b6413 |
| SHA256 | c5eaecdc91c28fd75f2930124fb4aaaad3caef941d031d483d966bc6631bf865 |
| SHA512 | fd7332d5120feafee3c0ed2b2fa9ad51a22f303d806435683a608997448a7fd443eccdd9f2e30ad9cd8789c68d68bf70a1f565acb290c6b4d7c9bc5e9e823974 |
C:\Windows\Installer\MSI128B.tmp-\Newtonsoft.Json.dll
| MD5 | 0e32f5229d5ee7d288b6b3969a51fcbc |
| SHA1 | 54c09f07930525786fcf08b9c7aca24185a68fc1 |
| SHA256 | e1ca33208030c858254249b2c9aa6d8541c2e875343b2997f2b2f9e4993c96f8 |
| SHA512 | 64e8499e668ea44397ed5ea009e3692b623d2ac01bdd43e460624fe0282a3398025e4e53282e0f0905062b60400f4c16a64933ed7667de942f1588dd936aebcb |
C:\Windows\Installer\MSI128B.tmp-\Interop.NetFwTypeLib.dll
| MD5 | a084b0c082ec6c9525336b131aeba39a |
| SHA1 | 45db1f5cc54a033e5df460b93edaa5d23a39ced9 |
| SHA256 | 7cba99a0f2a5b233e341f691c2aa6cb4ca10065425fc478b56fa468d6b0af54d |
| SHA512 | 297ba29e1ee4300f1a11620d475e67a9747fd9affabeee5fb5151b07c931c8f5c5af12b956e2ab7bd7dc6ebb1dbc298f5d56fa419f5fe2e3646053c0e515e29b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data.temp
| MD5 | f98745d81e8b84f39630844a63afc1ee |
| SHA1 | d7977c2dab5de25630f7d869f9b16a8502cd3bb3 |
| SHA256 | 9c34e13f0d2852fb4a8a53a4727a59d24691a507edb6ff1965024a6147799a83 |
| SHA512 | e6b1bf12139e627d6aa2b25c9d7e8ebab1e86fc3025655bf88bc735413f55b10490f0237b8d11fd5db0eb6045f6176e93228c70d8e940a62ea4324816c31a3dd |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\cj26u_bb.newcfg
| MD5 | 9b1cba305e9988f541b75fbcfada2fa6 |
| SHA1 | 433562afa91c66051194a4fae3ee5ec0029c409d |
| SHA256 | 91d3bed81713313fa5ef38191b29866088440dedb1bf6e60896c59bce47f35cc |
| SHA512 | 36c5f76d6c292e4dc6355b941fd528d09d0c6d614d0f1ad9ac1d7243acfbc41dbeca950bcf0753a26a67345fd713ecfe17ec5a892e48f6b9a67d39788ffcfed4 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\user.config
| MD5 | 45b8c6b08ac425d57d6c56a491bd7ce7 |
| SHA1 | 806de52bc10295e3a594a5b472b1f9ec9afe662b |
| SHA256 | 85d6cf2af03a544573b39cb5ed2a8d316ab1d4b3993d55a8428d0542c997095f |
| SHA512 | 556c6888e6c5b171f5a903905df27a0afb4ab774920e500d5b86973783582538f1fe0ed5ce8b740287112cb43ad16355da2886028333d4db78b2b84a18fb1023 |
memory/2076-2461-0x00000000742C0000-0x000000007486B000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\aweupsik.newcfg
| MD5 | f8721219c17d6cf59702e426ec3d6f8f |
| SHA1 | 4af8bf7b149e2a91314479dbfd60bb01d28d0946 |
| SHA256 | 7d727683196646846609e8a282135bd24a6d5b06ebb5366aeef1293655998393 |
| SHA512 | a1cea2f64771980a1f59148c702d74fb0f8349e0928524b62e86633b7f3ea1e0ad66c70d24f4a7334033a3776059078baf1415a7b090ac21183a33b77f213a2e |
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-29 03:35
Reported
2024-11-29 03:38
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
137s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Browser Infrastructure Helper = "C:\\Users\\Admin\\AppData\\Local\\Smartbar\\Application\\Smartbar.exe startup" | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIB0CE.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0CE.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8CA9.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8CA9.tmp-\srns.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\srus.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0CE.tmp-\Smartbar.Resources.Translations.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0CE.tmp-\Smartbar.Resources.LanguageSettings.resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8CA9.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8CA9.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0CE.tmp-\sppsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8CA9.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8CA9.tmp-\srsbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8CA9.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\srpdm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\spusm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\Smartbar.Resources.SocialNetsSharer.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\tmp\CZYX5UMY\Interop.SHDocVw.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\spsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0CE.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\e5f87e6.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8CA9.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8CA9.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\tmp\0OFSPWEO\Microsoft.VisualStudio.OLE.Interop.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\assembly\tmp\9JTPB1ES\System.Data.SQLite.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0CE.tmp-\srbhu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0CE.tmp-\sipb.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8CA9.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\Smartbar.Resources.SocialNetsSharer.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\e5f87ea.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5f87e6.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\spbl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0CE.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0CE.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\sismlp.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0CE.tmp-\spusm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8CA9.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8CA9.tmp-\Smartbar.Resources.LanguageSettings.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\srns.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\Smartbar.Resources.LanguageSettings.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0CE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\MACTrackBarLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0CE.tmp-\Smartbar.Installer.CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0CE.tmp-\Smartbar.Resources.SocialNetsSharer.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8CA9.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0CE.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8CA9.tmp-\srpu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8CA9.tmp-\sismlp.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\assembly\tmp\0OFSPWEO\__AssemblyInfo__.ini | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0CE.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CF7.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Smartbar.exe = "9999" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AE07101B-46D4-4A98-AF68-0333EA26E113} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\SearchUrl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IESmartBar.BandObjectAttribute\CLSID\ = "{A717364F-69F3-3A24-ADD5-3901A57F880E}" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}\ProgId | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3FC26130-C7E8-31A6-9887-70FEC71F5A46} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F4CA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F28A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2B4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{26D3A9D0-70E0-3905-838B-67B7AEAD16F0}\7.0.3300.0\Class = "mshtml._styleNormal" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\1.0.0.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FECEAAA3-8405-11CF-8BA1-00AA00476DA6}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0B9FE4F7-CA65-3C27-85CA-E351D0908E6D}\1.1.0.0\RuntimeVersion = "v2.0.50727" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D9FB2625-1C86-34B2-BF13-E4BBF98C23E9}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3BBE5145-9284-3874-A8B3-8E6B7E0DC27F}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D48A6EC9-6A4A-11CF-94A7-444553540000}\InprocServer32\7.0.3300.0\Class = "mshtml.OldHTMLDocumentClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3052B1CC-423E-34EF-9804-DD42899A26EE}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F24A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F280-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F282-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F27F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLDDElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34B4F646-3FC3-3CA2-AF86-BDAA6F9167D8}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{79CD6E7C-63CA-39D8-B871-342E17329B46}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{87845C39-C387-384B-99ED-3E3701F86C1D}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F3DC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F70614F4-B26B-3812-8E29-C822C4810B14}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F38F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F276-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\ProgId | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\InprocServer32\1.0.0.0 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{41A45DAE-3C9F-3768-B837-B785DDC401F2}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5E8433C3-CEE5-399A-883B-0FBB33FA9689}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}\InprocServer32\1.0.0.0\Assembly = "SmartbarInternetExplorerExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=64637c62d0471340" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F276-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F27D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLDListElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F26C-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B272899F-EB7C-3093-A531-BA9F69B31CEE}\7.0.3300.0\Class = "mshtml.tagRECT" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F26C-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6E7B0F28-0DDC-3AFF-A175-CD28A181C7EC}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4B2-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4CB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLElementCollectionClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F245-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F268-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\ProgId | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{226CBB7D-24E2-3F95-B762-A7EC52DAC005}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F277-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{12A025D4-7210-3AE7-B626-DAFACADC256B}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F27E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{46FCBAE2-6654-3761-B536-78E3F3E7A980}\7.0.3300.0\Class = "mshtml._htmlPersistState" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2B4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{256E3D14-B9B8-3F90-99EC-66E072159ED8} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E041E037-FA4B-364A-B440-7A1051EA0301}\InprocServer32\ = "mscoree.dll" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8C0A7C91-D77F-3637-9090-08B639665910}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F32B-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F268-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3FE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.CMimeTypesClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F35D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E3DAA972-10D1-3199-8BDB-3EC0488306BF}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D3AE66DB-BEAE-3AAB-8FDD-28E7E2469120}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F4941A96-874B-3701-980D-464748D7920F}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F5AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.DOMChildrenCollectionClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}\Implemented Categories | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F27C-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{46FCBAE2-6654-3761-B536-78E3F3E7A980}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{87845C39-C387-384B-99ED-3E3701F86C1D}\7.0.3300.0\Class = "mshtml._styleLayoutGridLine" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F269-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D9FB2625-1C86-34B2-BF13-E4BBF98C23E9}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BD5C9919C25F08BBEE51065EB66E4C6F
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI8CA9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241143218 2 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fpqkn48f.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9758.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9757.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hrjwwzng.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A36.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9A35.tmp"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI9CF7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241147140 6 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIB0CE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241152218 52 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8t9ztvpt.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB33D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB33C.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xluzgzn5.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB408.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB407.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
"C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ho68yij2.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF6D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDF6C.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hwzac3nx.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE20D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE20C.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pvsf3mrv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3F1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE3F0.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nj2vffoe.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5C6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE5C5.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d1t9y_43.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6D0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE6CF.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3xd8dn3u.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7AB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE7AA.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yy_ow4ri.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE837.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE836.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lpgetpmj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE902.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE901.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bsp2bva1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA4A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEA49.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bbx0pj2f.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBD1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEBD0.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jmg0uaxu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE52.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEE51.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pe-5xpvx.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF111.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF110.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5kfhjbxr.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3EF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF3EE.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloud-search.linkury.com | udp |
| US | 167.71.184.143:80 | cloud-search.linkury.com | tcp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.184.71.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crl.usertrust.com | udp |
| US | 172.64.149.23:80 | crl.usertrust.com | tcp |
| US | 8.8.8.8:53 | crl.comodoca.com | udp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | feed.snapdo.com | udp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.232.4.213:80 | feed.snapdo.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | ww99.snapdo.com | udp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 8.8.8.8:53 | ww12.snapdo.com | udp |
| US | 75.2.73.197:80 | ww12.snapdo.com | tcp |
| US | 8.8.8.8:53 | 213.4.232.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.230.16.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | 197.73.2.75.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| US | 8.8.8.8:53 | pool.ntp.org | udp |
| US | 8.8.8.8:53 | 199.109.58.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.187.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | csc3-2010-crl.verisign.com | udp |
| SE | 192.229.221.95:80 | csc3-2010-crl.verisign.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | au.snapdoapp.com | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll
| MD5 | 3cf46bae7e872a661721b0894bc076e2 |
| SHA1 | eaaa0a35e284908dd21cf245a38efe9d2e4c7532 |
| SHA256 | 7ca73cfb8d0502b14b657216b8735394cbd08aa8e4266fb9e86ad84ae159b043 |
| SHA512 | 47065a1cb81b41cab7c98488609470b308c708ba73c0e11c3f06901fde008b280f3b75ee825c12e4681aefbd8a43840e0319b43bbab7fe68b24c30926d0ce9f2 |
C:\Users\Admin\AppData\Local\Temp\smartbar\GuidCreator.dll
| MD5 | 4876414d51fe01bd8525df2f8acd35d6 |
| SHA1 | f9435c39e3029276e71a971e48f68d3f0298fe11 |
| SHA256 | 4bda5a964065b918ce70a27914056b17a95e3f8002028b394ecf8ff2d7cebf3d |
| SHA512 | d18afa3d806fd056836beb5a0822156402afe3455567d41f9b27d578980d5ae341273cadf5dff3175a799e791822e07eede03e3c0c143604f980f7876cd2fc0a |
memory/4432-18-0x0000000003300000-0x0000000003310000-memory.dmp
memory/4432-19-0x0000000074262000-0x0000000074263000-memory.dmp
memory/4432-20-0x0000000074260000-0x0000000074811000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi
| MD5 | e5314db579a141f6a5204f70e7073de0 |
| SHA1 | 3d2e28be7594fd754213e3ea19b4f900f6634c91 |
| SHA256 | 84263b76687ff69f306579fb3f05f3a0528db029cf0f2f60eddc22549545408d |
| SHA512 | f18c446d8e388759c12527ca970dea3c24af954d199c39027eae4ad8c97df7c902f24845ab0ee0ffd9ad9ee6768c43169b11fec47bd3246cd2e9c7e8da44993a |
C:\Windows\Installer\MSI8CA9.tmp
| MD5 | 44c66c7febaf067ac2f96e3bb643a5b3 |
| SHA1 | bc83eb57ebb44206b467c4147a7f82d52662e9b5 |
| SHA256 | 641fae557b683029787befda2a2ed5251b19a4c11fc19e3dbf2cd97459e7e383 |
| SHA512 | 41ce527bd09ae6b3126947197c94169121dcffe79b9db624a17a3a45d4e25a2f53dde0a686b4329b9e2d5c33bbbc6d6b9cc840b97731eac38ae31254dfd3364b |
C:\Windows\Installer\MSI8CA9.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 34d4a23cab5f23c300e965aa56ad3843 |
| SHA1 | 68c62a2834f9d8c59ff395ec4ef405678d564ade |
| SHA256 | 27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c |
| SHA512 | 7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c |
C:\Windows\Installer\MSI8CA9.tmp-\Smartbar.Installer.CustomActions.dll
| MD5 | 2120dbb0481374885af660346f503b9b |
| SHA1 | 0dad9f77c93325cbe2499efac70ebbbfd8e1a4b3 |
| SHA256 | ef0e1d3a5f58e797c47d1ca2999e6ab1e94520c3816a8264874920c26c9ae474 |
| SHA512 | 46966d2eec899fbd48b8aaf5e72555cec3b2f1bc2481c2eb014d98078aa6b6e825144718fbe2aa7b23d816462645186abbfc2ebdc7a4f331d5087999f21ca68a |
C:\Windows\Installer\MSI8CA9.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll
| MD5 | 5dc8a7062040e05ad36bd83246954b05 |
| SHA1 | f6807be0413724076c8c384576ad9a5bc1413e8c |
| SHA256 | d00f229036a6ea19e05c9838f2827fdb22b3003af4c7c97b37abf2ea36236dfc |
| SHA512 | 43cda9b7a57ae292b71df7a8f02c359b486a82162f92e2d8a7449f2b9c835a7ba44177477a7e0763a5698a4b2d9a025f8786c054950db3fab017edfdf4c17f12 |
C:\Windows\Installer\MSI8CA9.tmp-\srbs.dll
| MD5 | 7ec601a05f97c73fc2180e8c57efc9af |
| SHA1 | 7c99dcdcec211459b1d9d429e2ada2839876f492 |
| SHA256 | 982d12314935e25a016da0bec644bc4c8bd02b0984eb70b76e081b3562a6adf8 |
| SHA512 | 119e216313540f0fac30c1a8e531909dbdc8022735a9fb73b80c8bbbb2ff0548cdf911e640cd19827acff703c95b1d8db0ddf3ed61d056e9e4d4f437b8c88e7b |
C:\Windows\Installer\MSI8CA9.tmp-\spusm.dll
| MD5 | e28c8d2fd64ba27d9b992fc325f26a9d |
| SHA1 | d9ed413265967b6ede8787aa8c5e5734a4ea1358 |
| SHA256 | 82d96714ac65e6e18e3da619cfd1367416bba5ed6d08db7bf312f8937f95f2ab |
| SHA512 | e2fcc5972c48fa1d26d2df0b2c5ed4e34d15d7f08eb35510989441b4083f30d19f6d5fc2652ac42d11a3877f333ad4408c0cb547ecf7b948e1f324f719cfc739 |
C:\Windows\Installer\MSI8CA9.tmp-\srbhu.dll
| MD5 | fcbe6dec3d2da2ac9fd2754cc9cf6ad9 |
| SHA1 | 7954bdf16f99bf843c5c8053a078813d87c94254 |
| SHA256 | 71688a7955124b644cb05833d8285b876c7ff336eb4478ce01e1f80b07f7b76e |
| SHA512 | 5975297ac6aaa7d85842079809f9be2ad57959da2687de4bb7aa0764bc16dd878c482a92d7c4a4ed484aa7683f60c90b870757165f79d7ae481b7f7897e94c39 |
C:\Windows\Installer\MSI8CA9.tmp-\sppsm.dll
| MD5 | 787104ad9dea702d115883c489be54cb |
| SHA1 | b24680d170c610203df5e3d1d52b2b04f938dd56 |
| SHA256 | 934230fc9da4c6eac4b1f916baec075ac5faf1a70af14dcdb62d3d06ca878cd3 |
| SHA512 | 861147b8ed484a25a5ca9af8b7488896ee41dfd4eb57dafd4bb33455b03936c8fd930224fd9a1a0e8dcddf0fc33bc7adfc3ac48ca3ff430122f3ce18952fe312 |
C:\Windows\Installer\MSI8CA9.tmp-\Smartbar.Personalization.Common.dll
| MD5 | 347b0b5d32b1a85b5450b08cfb6d2e75 |
| SHA1 | 7bfe1857974a6c6c3e882624d820311c1e3bf670 |
| SHA256 | 76a9f22039731c1fb3871876dd8c55d4ab75635367daa811ced5ed70eed950ac |
| SHA512 | d79edc2546249f71a19faa1ee4aebdfd2faa8b6b56615740c93023255c81716de6c4af484bde506f7dcd80b607d8804313589e58b05dd2448d5c1fca3cd39e92 |
C:\Windows\Installer\MSI8CA9.tmp-\srut.dll
| MD5 | feba43763a9b7fe1c94d681055d10167 |
| SHA1 | 49d30dedf868accf07e6895e1699a4d751235fd0 |
| SHA256 | 0634fa964eba9baed92e2a935aef925fdaa921a35424b6ae9bfaaace932dc49d |
| SHA512 | 680116cfe66472c4d6ae9c94d74cd3fe8cef1c9beade27c19e58369c2c6f238f9e63019d7ea2b8b35689b7c0e812f2ee49d26a56e6972d3e21dc5f7312cf81ef |
C:\Windows\Installer\MSI8CA9.tmp-\Smartbar.Infrastructure.Utilities.dll
| MD5 | 562ac9921d990126990c2f0bdce7081a |
| SHA1 | f395458d8e328cf4809385fef3e225d01f8a8fc0 |
| SHA256 | ef84e1ad9cf174a9ab0bba648b56f2ffd17f4cb4421902b61559b544d812e738 |
| SHA512 | f52a9a62ca7d810804289ffe0300919eea529f2e0d4d07709309e101087809a5a004437184f3a3518fcd286db18947d78ce00bafbcbbe7b62a8aca4cf8295208 |
\??\c:\Users\Admin\AppData\Local\Temp\fpqkn48f.cmdline
| MD5 | 87999d407fc3257dfd01ad9743b0781e |
| SHA1 | c6c23349e8913ebea7ac60782cbe1e55b44084ee |
| SHA256 | 3dc9332118e8affea1b78a4458b0c18ab0a81c076275d1ed1dc645e8267857fb |
| SHA512 | cd1517d16487e6bf93601dfc83251798e353e03796eb555bc1e12a11e28064247b6d90aebb4048de99f4df565e43a86f9b118c5382a159b616116243da9048e3 |
\??\c:\Users\Admin\AppData\Local\Temp\fpqkn48f.0.cs
| MD5 | 6f8e0c3c3b1b9a297b8ee6bfbb9c2a2c |
| SHA1 | 1dbab29ad6fb169fad90e963dd0c5290f27272fc |
| SHA256 | e0514048fd6f4169c41896332a243cf014a719e5fe217c5743fc3c7149db578a |
| SHA512 | 193fc4f01b6afb2a858f006eb7c5dfd6106d88b0b0e0f12b4c8c103a8bae270ff0d583886ec5af910ce4d50cb1ccfb54a14d27fd517b847a624d9ba79f688640 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC9757.tmp
| MD5 | 8864e76e45475cfb9946cf2d8f84bdea |
| SHA1 | c45872c58dae15fdfe536e7f7773f7c9a6ab6068 |
| SHA256 | 6c27c251ebdb5538894b0be71a758fe6b32550952bcf96a076188ed609fd0fd4 |
| SHA512 | 87e67257a423fe06ca0ae697be64b506cb6fb4c2b9a1a53abbe8897da85b5807364a7e367e72d48639b27e02220955fc6f351ee1613ae899ea2e5d445995f7d7 |
C:\Users\Admin\AppData\Local\Temp\RES9758.tmp
| MD5 | 88f751dbe4a8bbafa919e9e8e52864b7 |
| SHA1 | 213265a7fa8daa3a74513f5f64eb6e5c3558cdaf |
| SHA256 | 39b9e4b70e10574ca48cd24d69349d3ae5c3c36595c9ed061911c388a632b872 |
| SHA512 | bd0e5cd9db1d452f1f5572811c37318aafdafa2b2e15bf748ba36698f3fa74c365d6debfbcd547abbe1abc8cab95c70d0dd94ec7c792342a7e286747e5842a74 |
C:\Users\Admin\AppData\Local\Temp\fpqkn48f.dll
| MD5 | 9f829fd211b07b075a7c37b0a604b47a |
| SHA1 | 2554ce9c082764e46631f867cbe29a2ad0c872e7 |
| SHA256 | 125fc59e1b272e98f4868301c48a844daa80d9dd59b1773db5c4201a92267f1b |
| SHA512 | 4a665d5187e00f7d47d7ade7c2fc4e179d33f51b4293990d45ab33bafcb7975a387dcb49a3f6e33df8d7db7c7bb0f105e53cca8330c90f44f4e7704898bc6f83 |
C:\Windows\Installer\MSI8CA9.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll
| MD5 | 7868ed46c34a1b36bea10560f453598f |
| SHA1 | 72330dac6f8aed0b8fde9d7f58f04192a0303d6b |
| SHA256 | 5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176 |
| SHA512 | 0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba |
C:\Windows\Installer\MSI8CA9.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll
| MD5 | adb53ee43f74f430368449b98b2f6f86 |
| SHA1 | fb882d80da9ccf79c6817a492fbd686d4759bb41 |
| SHA256 | b7837a68ede7781286057de0b59b7bb9c7c29ff9e9ded32c7175cafe9de3b5ff |
| SHA512 | 8fc2cd5a585c8247274fbe8d53ac27faa1f2b0407d27e5e78d6917cfa94947ace2aa20ca670a5b87e3d7a939360691102ed9c7530ec997af1057064bcb9c085a |
\??\c:\Users\Admin\AppData\Local\Temp\hrjwwzng.0.cs
| MD5 | 14ac60821b7e9508914fdf584ef23f46 |
| SHA1 | 9bc6cb0f7ea31050962fe56398213a48c5097ffa |
| SHA256 | ed564c34b04178601638c4c2a9ac3c21ac83d4031976fbd467c42d8e1a7c7c1c |
| SHA512 | b3faf1282b570436807b403ebd7aead6e86dbcb61dd64cfba0bc25023ddfe2017434e7f2ba34c0e69974b6f28587d75448f6b9567814d93130e9c7c3b8d01cd5 |
\??\c:\Users\Admin\AppData\Local\Temp\hrjwwzng.cmdline
| MD5 | 887074258f759cfc9f3b7834b5e6e9b3 |
| SHA1 | 0384569bad80c6d5d023e6a2a14ce0753d61cb20 |
| SHA256 | d10a5badc64a77f7ab1f23806110b4b1579b979c4ec44cccef7506d13f51b14f |
| SHA512 | 2186c8ee4a10591eadd2865da20c86e68e9f34f5222885a8e7a9d5d2d64d83a155b2cef6e7b3e775c1460d971ab08f1be08b64019bcc0dd26d41299141bd7060 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC9A35.tmp
| MD5 | aba0ef546a32d119532a2e1f924d024c |
| SHA1 | 2b488efe7b1ad016a05ff31d4de7fdb0b3ae944a |
| SHA256 | 7e32fd2dadc7357eb69ec2ef95145086478172763bb96d6576d6602235b9a4c5 |
| SHA512 | 7c588b7f5fe1b4e31aa42e40c3e9bdfd83a348b3593d3fde5134b43822d71ac48f4abb8b20aa723a8642e9d3f1883bf29fb202b971ad61fa44a38e147849176d |
memory/4432-203-0x0000000003300000-0x0000000003310000-memory.dmp
C:\Windows\Installer\MSI9CF7.tmp-\CustomAction.config
| MD5 | 796621b6895449a5f70ca6b78e62f318 |
| SHA1 | 2423c3e71fe5fa55fd71c00ae4e42063f4476bca |
| SHA256 | 09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84 |
| SHA512 | 081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9 |
memory/4432-371-0x0000000074262000-0x0000000074263000-memory.dmp
memory/4432-373-0x0000000074260000-0x0000000074811000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
| MD5 | 5719ee7f6521ae142f0557f0706cded1 |
| SHA1 | a1d5694197827967aea5b3ccc88e2f91d465c283 |
| SHA256 | 0a2ae8f3e9aa552748cfeadaec055778487602e7f6d4a6c2a221fe1fd496bfaf |
| SHA512 | cde76dada9e798a746d7ae23ee189940a6b7660805267a9221501c5c911a89b298005f111622fae7c886e810e23f83b77d47fa75793d19441246eb775a2f2bf6 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\3C610B86-19DE-4757-B46A-871C9C27FF0APress.png
| MD5 | 2768222689e3585d609b5a2afc1ba52c |
| SHA1 | ee522df6b2e365857bf6be58ac7150cbc71cfc9c |
| SHA256 | 21ee471e79b0a646735e132bc1f0c48f464677127b105426e00b160a554de6b0 |
| SHA512 | 56527749dca471af92eb4166b2bb6f1ca4cbf07c8d7e1a201378467f1d08efe5fd913715bb995d35c7d511b2cbdc9469d79baae7ee4bab619e4e11753c3505e4 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
| MD5 | e6ab030a2d47b1306ad071cb3e011c1d |
| SHA1 | ed5f9a6503c39832e8b1339d5b16464c5d5a3f03 |
| SHA256 | 054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c |
| SHA512 | 4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163 |
memory/984-1107-0x000001D87FC10000-0x000001D87FC36000-memory.dmp
memory/984-1134-0x000001D87FC40000-0x000001D87FC60000-memory.dmp
memory/984-1231-0x0000000000F90000-0x0000000001073000-memory.dmp
C:\Windows\assembly\tmp\9JTPB1ES\System.Data.SQLite.dll
| MD5 | c2e38bfe933c5bce36910fe1fb1d5067 |
| SHA1 | aac5ed2724e2f88c7af1a3bf56d73180ae709bb7 |
| SHA256 | 49a51063aaccc22a28590575417bdff40a67a06e6f2a67217b37af1b49fa6286 |
| SHA512 | 281225b5e7193270b27811224c70475fc9af47c5d05a7e98f6856ad6abccff084302d0ddb72868d6872eef2efaf2989645af5e596083bfb995f214182aa4184d |
C:\Windows\assembly\tmp\CZYX5UMY\Interop.SHDocVw.dll
| MD5 | 030a99f9594434ea83d27b33a95c4d5a |
| SHA1 | 230882058a1d50e4e8f7fa4bb3144dec506c5967 |
| SHA256 | 0fdc72a06cc54771f1b07293d2e914cded985d84833ed4bf952a665eb107b5a3 |
| SHA512 | 529d14374df0b455db055027f42ccf731ddf4b7bef8fc27bffa2ff5a46463dc6b3cacf75fd6356e325f075d7fb70ad0f8abd85feb75d00befd1c86aec857d7ee |
C:\Windows\assembly\GAC\Microsoft.VisualStudio.OLE.Interop\7.1.40304.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.OLE.Interop.dll
| MD5 | 459ff9c6762b7fdd91c156ff3e096478 |
| SHA1 | 7179debce9a271450b1241e7435a999aea1ddd05 |
| SHA256 | 93865c89e1507409fbbeb9433542a303cdd2fd5acda3d51fecd83e4a8fb8072c |
| SHA512 | 8b95330d364413122427604af1c0e848694975eb8c541b911aeb0d50fbb5cd15a60863f68593f1088b26f83500f400f52292a2891511223f796be750c6a7583a |
C:\Config.Msi\e5f87e9.rbs
| MD5 | 049134582cd0953f1f07dd0b8ca7e588 |
| SHA1 | b223c9aca1c0a622d39275a5a5f8c5cfec5d551e |
| SHA256 | 618a534f068ffe7eba346af753189c23f31fdcd67396f4cee3adcabe494070af |
| SHA512 | f4d827a8368a4b221bc29e96f0fecc6ff4b9518e707d0b6ee9a996a91a83ed63b4f113ec4199ddba00245fe4b81287d368041ca32b2fb081ef9a2a550c1fd3d9 |
C:\Windows\Installer\MSIB0CE.tmp-\srprl.dll
| MD5 | d8fa7df1f2cd92ad701bc23f86d89b54 |
| SHA1 | 72160fd5ad639c5a9c44305b06c98eb637399d18 |
| SHA256 | 475a2c225258c571ae66c0178a83177bd5a59f4ce1be1f867e14e75614ad43e4 |
| SHA512 | a4d11c7f66325199f5c3a41cc37f32cf6ee828d790add1a6b77b9127e65243bb17dcc10b1cb2cbaac4e543bc329bd30e64919ffc0af3fd6088a672e08e10e992 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
| MD5 | 5bfa51f3a417b98e7443eca90fc94703 |
| SHA1 | 8c015d80b8a23f780bdd215dc842b0f5551f63bd |
| SHA256 | bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128 |
| SHA512 | 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399 |
C:\Users\Admin\AppData\Local\Smartbar\Application\sduiey9w.newcfg
| MD5 | ec3f05ac2148162ddb052f23299b8ecb |
| SHA1 | 6ce68e94fb7df83ae34094a85abfefce8a3b8d79 |
| SHA256 | 449ab9dae5f16f9dc9e70e37930aeb4c78e057debbb8fe25fb5460a9666ec016 |
| SHA512 | d166cb06e095281a4a26bdb78e7752d8f9d0e408aa3048eea2294222aa0b7e901364ba377cfc353ada392693b15736c96267697dcabc745f2e4b3d539599b70a |
memory/2608-1388-0x000000001CE60000-0x000000001CE78000-memory.dmp
memory/2608-1396-0x000000001F470000-0x000000001F93E000-memory.dmp
memory/2608-1397-0x000000001E050000-0x000000001E0EC000-memory.dmp
memory/4992-1406-0x000000001D180000-0x000000001D1A6000-memory.dmp
memory/4840-1414-0x000000001D190000-0x000000001D936000-memory.dmp
memory/4840-1415-0x000000001D940000-0x000000001E0E6000-memory.dmp
memory/4368-1423-0x000000001CD00000-0x000000001CD26000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | f69600824ef913174dbed8271fd4a423 |
| SHA1 | 7a462e828ff2dcd2409f094baa10099e5166258c |
| SHA256 | 513104810805c8b7cd870b2644336c64bf44990b153a77c29aab782ec539b34e |
| SHA512 | c8bacc1ebe131d3b79e2064df771d40859d2576bfd719589aa26eb9112ec6509f241e489e6fc2dc68850320184fc3a18f50f681222a1a8599d5a6494ed24392d |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 56a768eeb9c038eb9e67cf82c5589bd3 |
| SHA1 | 63ca5565664ef128e5e0bd8936e276392711081d |
| SHA256 | c509ef1c83f5fed0f1540054265766696aa1981f168166ddb9dc4d660d841371 |
| SHA512 | a82cfb565914c7bb9260924ddee8d3e1d24709eaaabdef56777cb776cb6de27223f822e7f5c556969bed887cdfcc306ef59a3f698e17dfbda6eaa06afd821661 |
C:\Windows\Installer\MSIB0CE.tmp-\Newtonsoft.Json.dll
| MD5 | 0e32f5229d5ee7d288b6b3969a51fcbc |
| SHA1 | 54c09f07930525786fcf08b9c7aca24185a68fc1 |
| SHA256 | e1ca33208030c858254249b2c9aa6d8541c2e875343b2997f2b2f9e4993c96f8 |
| SHA512 | 64e8499e668ea44397ed5ea009e3692b623d2ac01bdd43e460624fe0282a3398025e4e53282e0f0905062b60400f4c16a64933ed7667de942f1588dd936aebcb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
| MD5 | 9431f12682c6f9154bd8e894205a3ef9 |
| SHA1 | 027997b6d234952c73928549c4b5e2a0f9efe0ca |
| SHA256 | 96e1d304fa13d3a64df13d884447cc08846239ef4c5e121c1f749242e32c8fcc |
| SHA512 | 214a54de1977f1c62079a72c68a5755cf1c0578c58377549d686dae2d15d109e1940f1195519d221006989725ded8eacae76e434f6157529724cbfee43a92de1 |
C:\Windows\Installer\MSIB0CE.tmp-\Interop.NetFwTypeLib.dll
| MD5 | a084b0c082ec6c9525336b131aeba39a |
| SHA1 | 45db1f5cc54a033e5df460b93edaa5d23a39ced9 |
| SHA256 | 7cba99a0f2a5b233e341f691c2aa6cb4ca10065425fc478b56fa468d6b0af54d |
| SHA512 | 297ba29e1ee4300f1a11620d475e67a9747fd9affabeee5fb5151b07c931c8f5c5af12b956e2ab7bd7dc6ebb1dbc298f5d56fa419f5fe2e3646053c0e515e29b |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\hfajtnbg.newcfg
| MD5 | 38ae21c87ce6135d4d7ad14a5882e6bb |
| SHA1 | a1a2abaa8c13d63e749d651db8f19ee70481cd9f |
| SHA256 | 23881cd3efcbf805e520bbb50a2749b527d74b92af718a7dacd2cc47a2ceba7a |
| SHA512 | 4d6131cf869df1474d1f64f065d6276a5abf74d16d9536d08113d648be472f41d992f8a2a16f13f80b417585ec144dd4a9deea73efdbe9ce0c84d8db67fbe276 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\user.config
| MD5 | 44af03357f91aee84acf3c5fb936d152 |
| SHA1 | 63882d62ea1dd1dbf9f2c1fab0251820ddb93fae |
| SHA256 | e7dcff87c27626f3f8aecc760398a95a2d7144cd3c0172ed4c9011c1e9a91e4a |
| SHA512 | ef039772460b58983b1d9fa76fe5081a13d5f28bae86848e6926880587b659f3ba9ea106ea38c1bad2899c4645ae2d3195e493f094a2632b6dd168a222677912 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\7w_hnzzk.newcfg
| MD5 | d25c6470fc8068b7d86fb5f809ddcb79 |
| SHA1 | 7584bca0c6d47b5e2a7b68b8bca3ea5004078060 |
| SHA256 | 3f8122a847cc1e7b24a2614f8ab9aceeeecf0a54cf9a50c776491af97ba799bb |
| SHA512 | cb2fabbbe12a07719a329c165e0a0f1f8613ec9d9d1a4a7bdc981b7e62f0e2b3fcfbc0fc262519db75c1b43a78659ad993e6927859a8c0f1fb9b0c0674025bee |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
memory/4432-1850-0x0000000074260000-0x0000000074811000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-29 03:35
Reported
2024-11-29 03:38
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PandaStealer
Pandastealer family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Browser Infrastructure Helper = "C:\\Users\\Admin\\AppData\\Local\\Smartbar\\Application\\Smartbar.exe startup" | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\srpu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\Smartbar.Resources.LanguageSettings.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\Smartbar.Resources.SocialNetsSharer.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA652.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\srus.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\assembly\tmp\XYUYWVOF\__AssemblyInfo__.ini | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp-\srpu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA652.tmp-\srbhu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp-\spsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA652.tmp-\srsbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{9726F9E3-EE13-4601-B2AF-81B1413BD8AF} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp-\srsbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp-\spbl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\spusm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\MACTrackBarLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA652.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\srpdm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp-\Smartbar.Resources.SocialNetsSharer.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA652.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA652.tmp-\Smartbar.GUI.Controls.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA652.tmp-\Microsoft.Practices.EnterpriseLibrary.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA652.tmp-\Smartbar.Resources.LanguageSettings.resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\tmp\KAZMJY3J\Interop.SHDocVw.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA652.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\srut.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp-\Smartbar.Resources.Translations.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp-\Smartbar.Resources.SocialNetsSharer.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA652.tmp-\srut.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA652.tmp-\sismlp.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\Smartbar.Resources.Translations.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\Newtonsoft.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp-\sismlp.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA652.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\Smartbar.Personalization.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\Microsoft.Practices.EnterpriseLibrary.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA652.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\sismlp.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\srsbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB018.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDA6.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA652.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aea459bd4a96c0440c4435bfe39aaf40_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\User Preferences | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4030411079" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31146511" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b01e1ff20f42db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439616359" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5} | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31146511" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate=29/11/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Search | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\UseHomepageForNewTab = "1" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst = "yes" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\SearchUrl | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AE07101B-46D4-4A98-AF68-0333EA26E113} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4032754910" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate=29/11/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Search\Default_Search_URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate=29/11/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate=29/11/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Smartbar.exe = "9999" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Search\Default_Search_URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\USER PREFERENCES | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst = "yes" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c88e6291f50dd448b150439a5f2f5a3d00000000020000000000106600000001000020000000e4365443f54eff9178cfdab23f874713cae30f772ef9d1f137ce776cfe914ac6000000000e8000000002000020000000535d0147b4bd28a7ae8547feffd5d8ed95668c414d46a6bd63d69695311bc99120000000a1bf0c5378821f32a595fc7b288222e274179a462ed28e1eb6bc222736038c1340000000fdf85fd938c74526e316e1d20654b8ea51506309a50bbb38915448b7b2c46d48019d18c3b525744fd590a3b405e90a754f2e39b47a3cd3a390169414d71f2f0f | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=hp&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=hp&installDate=29/11/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8E086BAE-D86D-3F6C-9098-EDB0CE1E8103}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5F5-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0B9FE4F7-CA65-3C27-85CA-E351D0908E6D}\1.1.0.0\RuntimeVersion = "v2.0.50727" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F5F5-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTCAttachBehaviorClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{777BF24E-A6C1-301D-8F59-25FC964EEC68}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5F5-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8F54FA54-1DF8-3B20-890C-CDD95364BC95}\1.0.0.0\RuntimeVersion = "v2.0.50727" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{25E1210D-EE4F-33C9-9D14-5A619A077233} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F26A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4B8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2AC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4E953F92-B7F6-39FA-A192-FB2BB7299F3A}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F80E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F37F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{13766CFA-3621-3B68-9709-6CBCAE6008A4}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F0EBA606-4E8D-3878-8A17-DDD69878CC4A}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F279-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F35D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLScreenClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerBHO.DLL" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F26F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F249-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F6C8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3CE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F24A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F273-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2B9-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLMarqueeElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3FB5C8C6-11BF-32E3-9F5E-6F95AFA8D553}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F28A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLDialogClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{41CE25A3-364F-363C-B344-545C1A43472D}\1.1.0.0\RuntimeVersion = "v2.0.50727" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D605E460-59C4-3D0A-9116-608B63FE300A}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F831-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F83A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\InprocServer32\Class = "IESmartBar.SmartbarDisplayState" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F7F6-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F83E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLParamElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2A7855AF-528E-3692-8F4E-E6AD67AF1BF2}\7.0.3300.0\Class = "mshtml._styleBackgroundRepeat" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8C0A7C91-D77F-3637-9090-08B639665910}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\InprocServer32\1.0.0.0\Assembly = "SmartbarInternetExplorerExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=64637c62d0471340" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{656130CD-753E-3DDC-893C-D6975C1EEED9}\7.0.3300.0\Class = "mshtml._htmlCaptionVAlign" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F37D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F5CB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F273-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLLIElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F38D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLOptionElementFactoryClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2C6-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F276-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLBaseElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{46B186E7-5F33-3B60-8B70-9D95A04C1A59}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F27C-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{14E188CC-FA04-3A67-8226-82D4BB68FD4F}\7.0.3300.0\Class = "mshtml._HT_OPTIONS" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\ = "mscoree.dll" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F3F5-98B4-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E683717D-A679-364D-BFFC-FD1EB7F22DBB}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{328AAE04-2F14-3F34-91E5-03B5DB97E915}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A93A6C9E-D601-3E81-81BF-6C1567B89288}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A0E61354-0A90-35E6-9484-5750A1C240D8}\7.0.3300.0\Class = "mshtml._stylePosition" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\ = "IESmartBar.SmartbarDisplayState" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerExtension.DLL" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aea459bd4a96c0440c4435bfe39aaf40_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aea459bd4a96c0440c4435bfe39aaf40_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\Installer.exe
C:\Users\Admin\AppData\Local\Temp\Installer.exe /quiet ARGS=HP:1;DS:1;NT:1;DOWNLOADPROVIDER:ShoppingHelper;PUBLISHER:ShoppingHelper;ROT:ALL;ROSP:1;CSH:1;SHOW_UNINSTALL:1;VISIBLE_IN:FF,IE
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet /quiet ARGS=HP:1;DS:1;NT:1;DOWNLOADPROVIDER:ShoppingHelper;PUBLISHER:ShoppingHelper;ROT:ALL;ROSP:1;CSH:1;SHOW_UNINSTALL:1;VISIBLE_IN:FF,IE;INSTALLATION_ID:5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DCBB2B52B2EF80B4C1137949BF261CB9
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIA652.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240625421 2 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aoyvndj1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAF6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAAF5.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i7foblf0.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADD5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCADD4.tmp"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIB018.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240627750 6 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIBDA6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240631218 73 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\drjzys05.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC092.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC091.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0jn7eabq.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC13E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC13D.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
"C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=sc&installDate=29/11/2024
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=sc&installDate=29/11/2024
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vasfce06.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE928.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE918.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dzs-tdpb.cmdline"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:17410 /prefetch:2
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA42.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEA41.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\owud39l2.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC07.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEC06.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ibdsexpr.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED4F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCED4E.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\soj40a74.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE49.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEE48.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\50ejpper.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF24.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEF23.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pmd9x2ul.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFFE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEFFD.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tiqw5q_k.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0E9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF0E8.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wtd8azit.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF202.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF201.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lda-ibgj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF31B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF31A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qmsc2ntv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5EA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF5E9.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v5nxfazz.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF945.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF944.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0btjtlwq.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBF5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFBF4.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloud-search.linkury.com | udp |
| US | 167.71.184.143:80 | cloud-search.linkury.com | tcp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.184.71.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crl.usertrust.com | udp |
| US | 172.64.149.23:80 | crl.usertrust.com | tcp |
| US | 8.8.8.8:53 | crl.comodoca.com | udp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | feed.snapdo.com | udp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.232.25.148:80 | feed.snapdo.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | 148.25.232.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww99.snapdo.com | udp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 8.8.8.8:53 | ww12.snapdo.com | udp |
| US | 75.2.73.197:80 | ww12.snapdo.com | tcp |
| US | 8.8.8.8:53 | 227.230.16.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.73.2.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 172.232.25.148:80 | feed.snapdo.com | tcp |
| US | 172.232.25.148:80 | feed.snapdo.com | tcp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 75.2.73.197:80 | ww12.snapdo.com | tcp |
| US | 75.2.73.197:80 | ww12.snapdo.com | tcp |
| US | 8.8.8.8:53 | parking3.parklogic.com | udp |
| US | 170.187.143.93:443 | parking3.parklogic.com | tcp |
| US | 170.187.143.93:443 | parking3.parklogic.com | tcp |
| US | 8.8.8.8:53 | 93.143.187.170.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crt.sectigo.com | udp |
| US | 104.18.38.233:80 | crt.sectigo.com | tcp |
| US | 104.18.38.233:80 | crt.sectigo.com | tcp |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| US | 8.8.8.8:53 | pool.ntp.org | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | d38psrni17bvxu.cloudfront.net | udp |
| NL | 18.239.102.197:80 | d38psrni17bvxu.cloudfront.net | tcp |
| NL | 18.239.102.197:80 | d38psrni17bvxu.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 1.200.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.102.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.187.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 8.8.8.8:53 | csc3-2010-crl.verisign.com | udp |
| SE | 192.229.221.95:80 | csc3-2010-crl.verisign.com | tcp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | install.outbrowse.com | udp |
| US | 76.223.54.146:80 | install.outbrowse.com | tcp |
| US | 8.8.8.8:53 | 146.54.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| SE | 192.229.221.95:80 | csc3-2010-crl.verisign.com | tcp |
| US | 8.8.8.8:53 | au.snapdoapp.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| SE | 192.229.221.95:80 | csc3-2010-crl.verisign.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsp9386.tmp\Registry.dll
| MD5 | 2b7007ed0262ca02ef69d8990815cbeb |
| SHA1 | 2eabe4f755213666dbbbde024a5235ddde02b47f |
| SHA256 | 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d |
| SHA512 | aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca |
C:\Users\Admin\AppData\Local\Temp\Installer.exe
| MD5 | 564e47a3604ced3b7c18e43250226cd7 |
| SHA1 | a3eef8fac3617d048fb9fce2201937297e3920f1 |
| SHA256 | 12ae00fe728b441221acd10483eeb1197884738e9bd6eb715ceadeea058c6c83 |
| SHA512 | e925e2a5b60c7257ac6b57b3fc12675d2cc490070c456a8e794f54c6732cc34981c0d88a5acfb2214fd316194f24eae83e8151cfab101daa2f1b59f2d621cdbf |
C:\Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll
| MD5 | 3cf46bae7e872a661721b0894bc076e2 |
| SHA1 | eaaa0a35e284908dd21cf245a38efe9d2e4c7532 |
| SHA256 | 7ca73cfb8d0502b14b657216b8735394cbd08aa8e4266fb9e86ad84ae159b043 |
| SHA512 | 47065a1cb81b41cab7c98488609470b308c708ba73c0e11c3f06901fde008b280f3b75ee825c12e4681aefbd8a43840e0319b43bbab7fe68b24c30926d0ce9f2 |
C:\Users\Admin\AppData\Local\Temp\smartbar\GuidCreator.dll
| MD5 | 4876414d51fe01bd8525df2f8acd35d6 |
| SHA1 | f9435c39e3029276e71a971e48f68d3f0298fe11 |
| SHA256 | 4bda5a964065b918ce70a27914056b17a95e3f8002028b394ecf8ff2d7cebf3d |
| SHA512 | d18afa3d806fd056836beb5a0822156402afe3455567d41f9b27d578980d5ae341273cadf5dff3175a799e791822e07eede03e3c0c143604f980f7876cd2fc0a |
memory/1096-27-0x00000000035B0000-0x00000000035C0000-memory.dmp
memory/1096-28-0x0000000074452000-0x0000000074453000-memory.dmp
memory/1096-32-0x0000000074450000-0x0000000074A01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi
| MD5 | e5314db579a141f6a5204f70e7073de0 |
| SHA1 | 3d2e28be7594fd754213e3ea19b4f900f6634c91 |
| SHA256 | 84263b76687ff69f306579fb3f05f3a0528db029cf0f2f60eddc22549545408d |
| SHA512 | f18c446d8e388759c12527ca970dea3c24af954d199c39027eae4ad8c97df7c902f24845ab0ee0ffd9ad9ee6768c43169b11fec47bd3246cd2e9c7e8da44993a |
C:\Windows\Installer\MSIA652.tmp
| MD5 | 44c66c7febaf067ac2f96e3bb643a5b3 |
| SHA1 | bc83eb57ebb44206b467c4147a7f82d52662e9b5 |
| SHA256 | 641fae557b683029787befda2a2ed5251b19a4c11fc19e3dbf2cd97459e7e383 |
| SHA512 | 41ce527bd09ae6b3126947197c94169121dcffe79b9db624a17a3a45d4e25a2f53dde0a686b4329b9e2d5c33bbbc6d6b9cc840b97731eac38ae31254dfd3364b |
C:\Windows\Installer\MSIA652.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 34d4a23cab5f23c300e965aa56ad3843 |
| SHA1 | 68c62a2834f9d8c59ff395ec4ef405678d564ade |
| SHA256 | 27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c |
| SHA512 | 7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c |
C:\Windows\Installer\MSIA652.tmp-\Smartbar.Installer.CustomActions.dll
| MD5 | 2120dbb0481374885af660346f503b9b |
| SHA1 | 0dad9f77c93325cbe2499efac70ebbbfd8e1a4b3 |
| SHA256 | ef0e1d3a5f58e797c47d1ca2999e6ab1e94520c3816a8264874920c26c9ae474 |
| SHA512 | 46966d2eec899fbd48b8aaf5e72555cec3b2f1bc2481c2eb014d98078aa6b6e825144718fbe2aa7b23d816462645186abbfc2ebdc7a4f331d5087999f21ca68a |
C:\Windows\Installer\MSIA652.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll
| MD5 | 5dc8a7062040e05ad36bd83246954b05 |
| SHA1 | f6807be0413724076c8c384576ad9a5bc1413e8c |
| SHA256 | d00f229036a6ea19e05c9838f2827fdb22b3003af4c7c97b37abf2ea36236dfc |
| SHA512 | 43cda9b7a57ae292b71df7a8f02c359b486a82162f92e2d8a7449f2b9c835a7ba44177477a7e0763a5698a4b2d9a025f8786c054950db3fab017edfdf4c17f12 |
C:\Windows\Installer\MSIA652.tmp-\srbs.dll
| MD5 | 7ec601a05f97c73fc2180e8c57efc9af |
| SHA1 | 7c99dcdcec211459b1d9d429e2ada2839876f492 |
| SHA256 | 982d12314935e25a016da0bec644bc4c8bd02b0984eb70b76e081b3562a6adf8 |
| SHA512 | 119e216313540f0fac30c1a8e531909dbdc8022735a9fb73b80c8bbbb2ff0548cdf911e640cd19827acff703c95b1d8db0ddf3ed61d056e9e4d4f437b8c88e7b |
C:\Windows\Installer\MSIA652.tmp-\spusm.dll
| MD5 | e28c8d2fd64ba27d9b992fc325f26a9d |
| SHA1 | d9ed413265967b6ede8787aa8c5e5734a4ea1358 |
| SHA256 | 82d96714ac65e6e18e3da619cfd1367416bba5ed6d08db7bf312f8937f95f2ab |
| SHA512 | e2fcc5972c48fa1d26d2df0b2c5ed4e34d15d7f08eb35510989441b4083f30d19f6d5fc2652ac42d11a3877f333ad4408c0cb547ecf7b948e1f324f719cfc739 |
C:\Windows\Installer\MSIA652.tmp-\srbhu.dll
| MD5 | fcbe6dec3d2da2ac9fd2754cc9cf6ad9 |
| SHA1 | 7954bdf16f99bf843c5c8053a078813d87c94254 |
| SHA256 | 71688a7955124b644cb05833d8285b876c7ff336eb4478ce01e1f80b07f7b76e |
| SHA512 | 5975297ac6aaa7d85842079809f9be2ad57959da2687de4bb7aa0764bc16dd878c482a92d7c4a4ed484aa7683f60c90b870757165f79d7ae481b7f7897e94c39 |
C:\Windows\Installer\MSIA652.tmp-\sppsm.dll
| MD5 | 787104ad9dea702d115883c489be54cb |
| SHA1 | b24680d170c610203df5e3d1d52b2b04f938dd56 |
| SHA256 | 934230fc9da4c6eac4b1f916baec075ac5faf1a70af14dcdb62d3d06ca878cd3 |
| SHA512 | 861147b8ed484a25a5ca9af8b7488896ee41dfd4eb57dafd4bb33455b03936c8fd930224fd9a1a0e8dcddf0fc33bc7adfc3ac48ca3ff430122f3ce18952fe312 |
C:\Windows\Installer\MSIA652.tmp-\Smartbar.Personalization.Common.dll
| MD5 | 347b0b5d32b1a85b5450b08cfb6d2e75 |
| SHA1 | 7bfe1857974a6c6c3e882624d820311c1e3bf670 |
| SHA256 | 76a9f22039731c1fb3871876dd8c55d4ab75635367daa811ced5ed70eed950ac |
| SHA512 | d79edc2546249f71a19faa1ee4aebdfd2faa8b6b56615740c93023255c81716de6c4af484bde506f7dcd80b607d8804313589e58b05dd2448d5c1fca3cd39e92 |
C:\Windows\Installer\MSIA652.tmp-\srut.dll
| MD5 | feba43763a9b7fe1c94d681055d10167 |
| SHA1 | 49d30dedf868accf07e6895e1699a4d751235fd0 |
| SHA256 | 0634fa964eba9baed92e2a935aef925fdaa921a35424b6ae9bfaaace932dc49d |
| SHA512 | 680116cfe66472c4d6ae9c94d74cd3fe8cef1c9beade27c19e58369c2c6f238f9e63019d7ea2b8b35689b7c0e812f2ee49d26a56e6972d3e21dc5f7312cf81ef |
C:\Windows\Installer\MSIA652.tmp-\Smartbar.Infrastructure.Utilities.dll
| MD5 | 562ac9921d990126990c2f0bdce7081a |
| SHA1 | f395458d8e328cf4809385fef3e225d01f8a8fc0 |
| SHA256 | ef84e1ad9cf174a9ab0bba648b56f2ffd17f4cb4421902b61559b544d812e738 |
| SHA512 | f52a9a62ca7d810804289ffe0300919eea529f2e0d4d07709309e101087809a5a004437184f3a3518fcd286db18947d78ce00bafbcbbe7b62a8aca4cf8295208 |
\??\c:\Users\Admin\AppData\Local\Temp\aoyvndj1.cmdline
| MD5 | fec7fe12bb4be6b96e8f1f19fbd8227b |
| SHA1 | bfe47608bc1a278bd7b819a7a5a57ad9e1eb08c4 |
| SHA256 | 0e487515895352de4257a1771dffa2adb85edfe3122c4998bd17954c04f90992 |
| SHA512 | 80de57e83857c1522db7795f49b0521d764fae915f738b9ea5cceea4948915f4109832ff82c3ce47434965a377bb8d1a3b5e3d0f4543bf21a4824681bd17b204 |
\??\c:\Users\Admin\AppData\Local\Temp\aoyvndj1.0.cs
| MD5 | 6f8e0c3c3b1b9a297b8ee6bfbb9c2a2c |
| SHA1 | 1dbab29ad6fb169fad90e963dd0c5290f27272fc |
| SHA256 | e0514048fd6f4169c41896332a243cf014a719e5fe217c5743fc3c7149db578a |
| SHA512 | 193fc4f01b6afb2a858f006eb7c5dfd6106d88b0b0e0f12b4c8c103a8bae270ff0d583886ec5af910ce4d50cb1ccfb54a14d27fd517b847a624d9ba79f688640 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCAAF5.tmp
| MD5 | a389c64f99b34c25e90104b7ed4ad010 |
| SHA1 | 94542e287c0f7d5524f9bc1e479c62ec92b71f86 |
| SHA256 | 7d8b48b95e3cdbfb19bc1eb091b57dd6e67c90e08ef1216bfc6aec7158442ca1 |
| SHA512 | cd9fb79ccc4d57daed919d60d9279ac70b2dd7a69a6aaff376ab22261b16c1bf32f0e56bc8cdd61a61ba5c5f42896e01ee736d6233d0147b6d90bb28c08fcd52 |
C:\Users\Admin\AppData\Local\Temp\RESAAF6.tmp
| MD5 | 0933450d13a24c49e08abc467cbc3f8b |
| SHA1 | 167cb8f6d76d7a060d97aa71e073a6c0e53c5ecb |
| SHA256 | 8f97123b65d069cc0a9d246df0e4611907d6880436320791f5f02f099b05f5df |
| SHA512 | f1dff8943bf4ebb7ee32b544a2763d871090b96ef45269a72765f09c1f17cdbb0ecd8b12bd31373a3940f3e40a4e486f56678e55624ba9e9a752df62ad95a1b1 |
C:\Users\Admin\AppData\Local\Temp\aoyvndj1.dll
| MD5 | 1d12c15c5d8d27af5159b278c1790f1d |
| SHA1 | c1746652fdc03de1ea7e6c57c755d4e30b85db1e |
| SHA256 | 81c9a19ff5817b4cf8e6acb3469f8ad913c6d12c314d2cf47750825394730b2c |
| SHA512 | 7ad77b2493d360e2eac7c79a232f01df9f5b175fdd2ce3f1e5a4df1a7410b3c2c3dfb9abf8f2a76f135b811a657aa37fe2a8860d944a17c642af1a0a718d7d0d |
C:\Windows\Installer\MSIA652.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll
| MD5 | 7868ed46c34a1b36bea10560f453598f |
| SHA1 | 72330dac6f8aed0b8fde9d7f58f04192a0303d6b |
| SHA256 | 5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176 |
| SHA512 | 0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba |
C:\Windows\Installer\MSIA652.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll
| MD5 | adb53ee43f74f430368449b98b2f6f86 |
| SHA1 | fb882d80da9ccf79c6817a492fbd686d4759bb41 |
| SHA256 | b7837a68ede7781286057de0b59b7bb9c7c29ff9e9ded32c7175cafe9de3b5ff |
| SHA512 | 8fc2cd5a585c8247274fbe8d53ac27faa1f2b0407d27e5e78d6917cfa94947ace2aa20ca670a5b87e3d7a939360691102ed9c7530ec997af1057064bcb9c085a |
\??\c:\Users\Admin\AppData\Local\Temp\i7foblf0.cmdline
| MD5 | 6d6c044bdfdd766a6f9e265960e14d6f |
| SHA1 | 014dab5043090a4d51ca96e7bf58b7466e0e2d7b |
| SHA256 | 4db4ac785b3909de89648c05be8d113690f9a3ce2d370758557e0970d961816c |
| SHA512 | 21352f049e8b207131ea64ae955de94c4ce57fac2007e7c2e49e1816846900e9ffe641c197af48ef609ead41de3caf9b51e5424391e9f6b6f8a9741d9d74a253 |
C:\Windows\Installer\MSIB018.tmp-\CustomAction.config
| MD5 | 796621b6895449a5f70ca6b78e62f318 |
| SHA1 | 2423c3e71fe5fa55fd71c00ae4e42063f4476bca |
| SHA256 | 09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84 |
| SHA512 | 081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
| MD5 | 5719ee7f6521ae142f0557f0706cded1 |
| SHA1 | a1d5694197827967aea5b3ccc88e2f91d465c283 |
| SHA256 | 0a2ae8f3e9aa552748cfeadaec055778487602e7f6d4a6c2a221fe1fd496bfaf |
| SHA512 | cde76dada9e798a746d7ae23ee189940a6b7660805267a9221501c5c911a89b298005f111622fae7c886e810e23f83b77d47fa75793d19441246eb775a2f2bf6 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\3C610B86-19DE-4757-B46A-871C9C27FF0APress.png
| MD5 | 2768222689e3585d609b5a2afc1ba52c |
| SHA1 | ee522df6b2e365857bf6be58ac7150cbc71cfc9c |
| SHA256 | 21ee471e79b0a646735e132bc1f0c48f464677127b105426e00b160a554de6b0 |
| SHA512 | 56527749dca471af92eb4166b2bb6f1ca4cbf07c8d7e1a201378467f1d08efe5fd913715bb995d35c7d511b2cbdc9469d79baae7ee4bab619e4e11753c3505e4 |
memory/1096-585-0x00000000035B0000-0x00000000035C0000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
| MD5 | e6ab030a2d47b1306ad071cb3e011c1d |
| SHA1 | ed5f9a6503c39832e8b1339d5b16464c5d5a3f03 |
| SHA256 | 054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c |
| SHA512 | 4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163 |
memory/1096-1036-0x0000000074452000-0x0000000074453000-memory.dmp
memory/3520-1112-0x000001FB4AA30000-0x000001FB4AA56000-memory.dmp
memory/3520-1139-0x000001FB4AA60000-0x000001FB4AA80000-memory.dmp
memory/3520-1236-0x0000000000A20000-0x0000000000B03000-memory.dmp
C:\Windows\assembly\tmp\FU82BLXB\System.Data.SQLite.dll
| MD5 | c2e38bfe933c5bce36910fe1fb1d5067 |
| SHA1 | aac5ed2724e2f88c7af1a3bf56d73180ae709bb7 |
| SHA256 | 49a51063aaccc22a28590575417bdff40a67a06e6f2a67217b37af1b49fa6286 |
| SHA512 | 281225b5e7193270b27811224c70475fc9af47c5d05a7e98f6856ad6abccff084302d0ddb72868d6872eef2efaf2989645af5e596083bfb995f214182aa4184d |
C:\Windows\assembly\tmp\KAZMJY3J\Interop.SHDocVw.dll
| MD5 | 030a99f9594434ea83d27b33a95c4d5a |
| SHA1 | 230882058a1d50e4e8f7fa4bb3144dec506c5967 |
| SHA256 | 0fdc72a06cc54771f1b07293d2e914cded985d84833ed4bf952a665eb107b5a3 |
| SHA512 | 529d14374df0b455db055027f42ccf731ddf4b7bef8fc27bffa2ff5a46463dc6b3cacf75fd6356e325f075d7fb70ad0f8abd85feb75d00befd1c86aec857d7ee |
C:\Windows\assembly\GAC\Microsoft.VisualStudio.OLE.Interop\7.1.40304.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.OLE.Interop.dll
| MD5 | 459ff9c6762b7fdd91c156ff3e096478 |
| SHA1 | 7179debce9a271450b1241e7435a999aea1ddd05 |
| SHA256 | 93865c89e1507409fbbeb9433542a303cdd2fd5acda3d51fecd83e4a8fb8072c |
| SHA512 | 8b95330d364413122427604af1c0e848694975eb8c541b911aeb0d50fbb5cd15a60863f68593f1088b26f83500f400f52292a2891511223f796be750c6a7583a |
C:\Config.Msi\e57a05a.rbs
| MD5 | 13fb799705a6cb827151d411e8ebdccb |
| SHA1 | 45378031d20ec6cf28ac0d8120e270bdb7eabd85 |
| SHA256 | b99919c6ce0a005161306713b15dcc8b90c6edec5ed03de3636e717d31c71610 |
| SHA512 | a55478ae4ecb258057e24bee83973f282bd8c4e76bbd662fc425631fb88c00ba3a8ec041ac5fe6dd60317988cf97e0b255b925b0e59da3bab6d054be3c720045 |
memory/1096-1274-0x0000000074450000-0x0000000074A01000-memory.dmp
C:\Windows\Installer\MSIBDA6.tmp-\srprl.dll
| MD5 | d8fa7df1f2cd92ad701bc23f86d89b54 |
| SHA1 | 72160fd5ad639c5a9c44305b06c98eb637399d18 |
| SHA256 | 475a2c225258c571ae66c0178a83177bd5a59f4ce1be1f867e14e75614ad43e4 |
| SHA512 | a4d11c7f66325199f5c3a41cc37f32cf6ee828d790add1a6b77b9127e65243bb17dcc10b1cb2cbaac4e543bc329bd30e64919ffc0af3fd6088a672e08e10e992 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
| MD5 | 5bfa51f3a417b98e7443eca90fc94703 |
| SHA1 | 8c015d80b8a23f780bdd215dc842b0f5551f63bd |
| SHA256 | bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128 |
| SHA512 | 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399 |
C:\Users\Admin\AppData\Local\Smartbar\Application\ro-anqo1.newcfg
| MD5 | ec3f05ac2148162ddb052f23299b8ecb |
| SHA1 | 6ce68e94fb7df83ae34094a85abfefce8a3b8d79 |
| SHA256 | 449ab9dae5f16f9dc9e70e37930aeb4c78e057debbb8fe25fb5460a9666ec016 |
| SHA512 | d166cb06e095281a4a26bdb78e7752d8f9d0e408aa3048eea2294222aa0b7e901364ba377cfc353ada392693b15736c96267697dcabc745f2e4b3d539599b70a |
memory/1736-1396-0x0000000001280000-0x0000000001298000-memory.dmp
memory/1736-1404-0x000000001EFC0000-0x000000001F48E000-memory.dmp
memory/1736-1405-0x000000001DAF0000-0x000000001DB8C000-memory.dmp
memory/4316-1414-0x000000001D0D0000-0x000000001D0F6000-memory.dmp
memory/1456-1422-0x000000001D110000-0x000000001D8B6000-memory.dmp
memory/1456-1423-0x000000001D8C0000-0x000000001E066000-memory.dmp
memory/660-1431-0x0000000001FD0000-0x0000000001FF6000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | a9a3edfcdc820f33d715f0d0f55d4efb |
| SHA1 | 5413d800cecd998d708c9b46b84671d984a0c00e |
| SHA256 | 94a9148b3668f76a0d5cdbd0abf890951582dcf4826a4ecc8d98b778c13ef2ba |
| SHA512 | ad70d480b0acce7ecb39e1629831a33f26b070e5eaf8a57b5ec984f6badb0325b9ba3390c736df3d79908f161afe4bb6274a2c9ced735009fae14e6000cd1421 |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 0de91a22c45eaf08b128a010c8b40b9b |
| SHA1 | bdd8ba9c084e2344403319f7ba6a610e772d6d41 |
| SHA256 | 40c0f67bcb96532db5d291ca9da2bfd3e765ded857ba051c54cbd19c714df6bc |
| SHA512 | 70f332c99bb7b1a377eeb78cb8530c6e5d03b215679b01c5a193ac85c187171f0220e55634fc8aec00ae651e46ab83a7ed16588fd2f235f182c24c52361115fd |
C:\Windows\Installer\MSIBDA6.tmp-\Newtonsoft.Json.dll
| MD5 | 0e32f5229d5ee7d288b6b3969a51fcbc |
| SHA1 | 54c09f07930525786fcf08b9c7aca24185a68fc1 |
| SHA256 | e1ca33208030c858254249b2c9aa6d8541c2e875343b2997f2b2f9e4993c96f8 |
| SHA512 | 64e8499e668ea44397ed5ea009e3692b623d2ac01bdd43e460624fe0282a3398025e4e53282e0f0905062b60400f4c16a64933ed7667de942f1588dd936aebcb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
| MD5 | 54e380dd63dbc5d5dc1f7f8cc3d3bf84 |
| SHA1 | 30be5eb3f1bbbfd2c05fdc31fc12d33174229e17 |
| SHA256 | 5d369fe69747e819966932849599922a4b774d8d8d1c30516272d4b033a80db3 |
| SHA512 | 91b7a3827a8ee75dd4a06ccfa8fea3892c68d98a5912fb9f9987ce2ef9ddcd232318f7668185f90704b2cb58f677f3e21b557001e0be290d42a0a5eaf463ec4a |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | e505ded7b32776e1214a6d7acb045ec3 |
| SHA1 | 9be26f84e2bf2596ff5d1ac60108ee1c15d646b8 |
| SHA256 | d11d2cbfd3093f4d03660a47118193223ca2292c85177cbb6b128e2a55e47f99 |
| SHA512 | 3502425116ddd29b4b55d1c65061d13411432c1390840aa4560792f3647eaf9ecf7e4997da3cd3f559c13c4e47e288334d228acb550ad3e3eb0da70b4c9b20d9 |
C:\Windows\Installer\MSIBDA6.tmp-\srsl.dll
| MD5 | 6fc50184e3aad7f4df0231da697a9da8 |
| SHA1 | fef8608d31e8e1c16ca7db402fa352ee7231585b |
| SHA256 | 58e698c208cd6ad94d2da3511447a975605e2b49bbdb7b572863f318aaffe0cf |
| SHA512 | 626b0a4031571ca906311937583f646aebdc7aacd5afb5ddf66c2d45dbc335e026d337d4f5803c38ddd022b9e64c79b4dd30d094d5d01a669e99d6c6829650b4 |
C:\Windows\Installer\MSIBDA6.tmp-\Interop.NetFwTypeLib.dll
| MD5 | a084b0c082ec6c9525336b131aeba39a |
| SHA1 | 45db1f5cc54a033e5df460b93edaa5d23a39ced9 |
| SHA256 | 7cba99a0f2a5b233e341f691c2aa6cb4ca10065425fc478b56fa468d6b0af54d |
| SHA512 | 297ba29e1ee4300f1a11620d475e67a9747fd9affabeee5fb5151b07c931c8f5c5af12b956e2ab7bd7dc6ebb1dbc298f5d56fa419f5fe2e3646053c0e515e29b |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\user.config
| MD5 | 412f580eb07d35c64c47769f3e0f1ae9 |
| SHA1 | 0f3e2be15d821fd6fd57526920d837e87dadfd1d |
| SHA256 | 65545235e3b9cbe06bd3f14a777cc9bed8742fd9717c886e5f0a6f3b37e73a4f |
| SHA512 | 0c2b8bafb4d6964d79b702d0c2fee58e8e4e23c512013dd317220e8e753b550d2ac9044fddfd1383da4a8cce6e5fdb660c3f595082df75e8cc6968691d0692fa |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\u3j87juk.newcfg
| MD5 | 2a9604fa68518d0ec0d3783017ebe464 |
| SHA1 | 1ee147df69076670a44b54ea5a6866a422ca591b |
| SHA256 | c7c5396c16616012759072255f9f59e1d9e1f9025ea5cee00434b810b49796e9 |
| SHA512 | 737047186216c9198678ba39dbb7e84c3a0b8fc76e5a890546415396796469bdbbc1203e31f1b341374839853c8fb37b380be3cc052bdd41c8ed819f158551f7 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\7vvowchy.newcfg
| MD5 | b4afa27ace75e82f55deb92fdfc2a2be |
| SHA1 | 50d69c5cd0318c462e8f339b7f8aa292bc5af824 |
| SHA256 | 084597dc6264afcb8298f2c34b520aba44f744e9a6b2a0fdccdcf1c62bb29fc1 |
| SHA512 | 05f6048c68ccbc6a1043f65931c38f61d3811ffa1e6ad5f74b45dfe655b2f602078ce3cc643d326ea1ab6214b3ad2ca85c247497e4e80ea88bb7ac745e0c3bc3 |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | dcb4c10a7439e80c7106804ec33811c2 |
| SHA1 | 6716e17b3bcbba80f125e9eb00cd7f2372355d2e |
| SHA256 | 0ff71bd67aba6a6f7870f99d18b08397c860ab81c99d1041cde5c853b8fcb50c |
| SHA512 | 3520f2f944bbd652698022f5388ac0e00b9dd1a034372893ac1afd11387d604078635ea2cb2fc6082654ce4b7f937fe766403c32e6ea1d25d15624d98d30fd24 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
memory/1096-1914-0x0000000074450000-0x0000000074A01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsp9386.tmp\Ping.dll
| MD5 | b0e9ba9dab60cb7a9fd886dcf440cac3 |
| SHA1 | c416f6e9ba379feb9008c775d8456514444b66da |
| SHA256 | 52d52e5a1e1cec3e2db08555a8b2651f636cf76c6a24e32aa446595365cf193f |
| SHA512 | 90de38a7c57f59e8deb17c2473a215e2f052aee909a47ef37a88fefcfaeb5e6b54d462a39bcac4d0f1aa88d1806ba9e1237d0eeba98f7a0479bd6825e841f043 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IQ93NPJ1\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-29 03:35
Reported
2024-11-29 03:38
Platform
win7-20241010-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Ping.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Ping.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 220
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-29 03:35
Reported
2024-11-29 03:38
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4624 wrote to memory of 388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4624 wrote to memory of 388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4624 wrote to memory of 388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Ping.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Ping.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 388 -ip 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 608
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-29 03:35
Reported
2024-11-29 03:38
Platform
win7-20240708-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Registry.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Registry.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 224
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-29 03:35
Reported
2024-11-29 03:38
Platform
win10v2004-20241007-en
Max time kernel
90s
Max time network
144s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4440 wrote to memory of 1952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4440 wrote to memory of 1952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4440 wrote to memory of 1952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Registry.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Registry.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1952 -ip 1952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |